Skip to content

Commit

Permalink
web/admin: add strict dompurify config for diagram
Browse files Browse the repository at this point in the history
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
  • Loading branch information
BeryJu committed Oct 23, 2024
1 parent 40c7fef commit 51dd7f3
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
4 changes: 4 additions & 0 deletions web/src/common/purify.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ import { TemplateResult, html } from "lit";
import { unsafeHTML } from "lit/directives/unsafe-html.js";
import { until } from "lit/directives/until.js";

export const DOM_PURIFY_STRICT: DOMPurify.Config = {
ALLOWED_TAGS: ["#text"],
};

export function purify(input: TemplateResult): TemplateResult {
return html`${until(
(async () => {
Expand Down
3 changes: 3 additions & 0 deletions web/src/elements/Diagram.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { EVENT_REFRESH, EVENT_THEME_CHANGE } from "@goauthentik/common/constants";
import { DOM_PURIFY_STRICT } from "@goauthentik/common/purify";
import { AKElement } from "@goauthentik/elements/Base";
import "@goauthentik/elements/EmptyState";
import mermaid, { MermaidConfig } from "mermaid";
Expand Down Expand Up @@ -47,6 +48,8 @@ export class Diagram extends AKElement {
curve: "linear",
},
htmlLabels: false,
securityLevel: "strict",
dompurifyConfig: DOM_PURIFY_STRICT,
};
mermaid.initialize(this.config);
}
Expand Down

0 comments on commit 51dd7f3

Please sign in to comment.