dearwolf/aider
1
0
Fork 0
mirror of https://github.com/Aider-AI/aider.git synced 2025-06-04 03:35:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

feat: Enhance share page security with markdown sanitization and error handling

Browse source
This commit is contained in:
Paul Gauthier (aider) 2024-11-18 13:40:15 -08:00
parent 3c9c6eef6e
commit 46ecb8a663
1 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

17
aider/website/share/index.md
View file

@ -4,7 +4,7 @@ nav_exclude: true
<meta http-equiv="Content-Security-Policy" <meta http-equiv="Content-Security-Policy"
content="default-src 'self'; content="default-src 'self';
script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com;
connect-src http: https:; connect-src http: https:;
style-src 'self' 'unsafe-inline';"> style-src 'self' 'unsafe-inline';">
@ -43,6 +43,7 @@ print("goodbye")
</div> </div>
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.6/purify.min.js"></script>
<script> <script>
function isValidUrl(url) { function isValidUrl(url) {
try { try {
@ -53,11 +54,18 @@ function isValidUrl(url) {
} }
} }
// Configure marked with secure defaults
marked.setOptions({
headerIds: false,
mangle: false
});
window.onload = function() { window.onload = function() {
var urlParams = new URLSearchParams(window.location.search); var urlParams = new URLSearchParams(window.location.search);
var conv = urlParams.get('mdurl'); var conv = urlParams.get('mdurl');
if (!conv || !isValidUrl(conv)) { if (!conv || !isValidUrl(conv)) {
console.error('Invalid or missing URL'); document.querySelector('#shared-transcript').innerHTML =
'<div style="color: red; padding: 1em;">Error: Invalid or missing URL provided</div>';
return; return;
} }
document.getElementById('mdurl').href = conv; document.getElementById('mdurl').href = conv;
@ -79,11 +87,14 @@ window.onload = function() {
return line; return line;
}).join('\n'); }).join('\n');
var html = marked.parse(markdown); var html = marked.parse(markdown);
var sanitizedHtml = DOMPurify.sanitize(html);
var divElement = document.querySelector('#shared-transcript'); var divElement = document.querySelector('#shared-transcript');
divElement.innerHTML = html; divElement.innerHTML = sanitizedHtml;
}) })
.catch(error => { .catch(error => {
console.error('Error fetching markdown:', error); console.error('Error fetching markdown:', error);
document.querySelector('#shared-transcript').innerHTML =
'<div style="color: red; padding: 1em;">Error: Failed to load chat transcript</div>';
}); });
} }
</script> </script>