Fix bugs detected from sonarcloud.

IceWhaleTech · Dec 28, 2023 · 52522ba · 52522ba
1 parent 73d9a95
commit 52522ba
Show file tree

Hide file tree

Showing 10 changed files with 648 additions and 62 deletions.
diff --git a/main/package.json b/main/package.json
@@ -71,6 +71,7 @@
     "vue-breakpoint-mixin": "^1.5.0",
     "vue-codemirror": "^4.0.6",
     "vue-custom-scrollbar": "^1.4.4",
+    "vue-dompurify-html": "2.6.0",
     "vue-ellipse-progress": "^1.3.1",
     "vue-fullscreen": "^2.6.2",
     "vue-i18n": "8.28.2",

diff --git a/main/src/components/Apps/AppPanel.vue b/main/src/components/Apps/AppPanel.vue
@@ -370,7 +370,7 @@
 					</div>
 					<b-progress :value="totalPercentage" format="percent" show-value type="is-primary"></b-progress>
 					<h3 :class="currentInstallAppTextClass" class="title is-6 has-text-centered" style="height: 20px"
-						v-html="currentInstallAppText"></h3>
+					v-dompurify-html="currentInstallAppText"></h3>
 				</div>
 			</section>
 			<!-- App Install Process End -->

diff --git a/main/src/components/BrandBar.vue b/main/src/components/BrandBar.vue
@@ -1,11 +1,3 @@
-<!--
- * @LastEditors: Jerryk [email protected]
- * @LastEditTime: 2023-02-27 23:35:25
- * @FilePath: \CasaOS-UI-0.4.2\src\components\BrandBar.vue
-  * @Description:
-  *
-  * Copyright (c) 2022 by IceWhale, All Rights Reserved.
-  -->
 <template>
 	<div class="brand-bar is-flex is-align-items-flex-end has-text-white">
 		<figure class="image _is-136x26 mb-3">
@@ -16,7 +8,7 @@
 		<span v-else class="window ml-4">
 			<ul :style="{ '--time': 5 * line + 's', '--perc': perc, '--line': line }" class="scroll">
 				<li v-for="(item, key) in rss" :key="key" class="has-text-left" @click="$messageBus('connect_news')">
-					<a :href="item.link" class="intro-text" target="_blank">{{ item.title }}</a>
+					<a :href="xss(item.link)" class="intro-text" target="_blank">{{ item.title }}</a>
 				</li>
 			</ul>
 		</span>
@@ -26,7 +18,7 @@
 
 <script>
 import Parser from "rss-parser";
-
+import xss from 'xss'
 export default {
 	name: "brand-bar",
 	components: {},

diff --git a/main/src/components/feedback/FeedbackPanel.vue b/main/src/components/feedback/FeedbackPanel.vue
@@ -19,7 +19,7 @@
 							 type="textarea"></b-input>
 				</b-field>
 				<b-field :label="$t('System infomation')">
-					<div class="feedback-info-container is-size-14px" v-html="markdownToHtml"></div>
+					<div class="feedback-info-container is-size-14px" v-dompurify-html="markdownToHtml"></div>
 				</b-field>
 			</div>
 		</section>

diff --git a/main/src/components/logsAndTerminal/LogsCard.vue b/main/src/components/logsAndTerminal/LogsCard.vue
@@ -5,7 +5,7 @@
 			<b-icon :icon="buttonIcon"></b-icon>
 		</a>
 		<div id="logs" :class="[fullscreen ? 'fullheight' : 'sheight']" class="logs scrollbars">
-			<div contenteditable v-html="data" class="content"></div>
+			<div contenteditable v-dompurify-html="data" class="content"></div>
 		</div>
 	</fullscreen>
 </template>

diff --git a/main/src/components/settings/UpdateCompleteModal.vue b/main/src/components/settings/UpdateCompleteModal.vue
@@ -12,7 +12,7 @@
 		<!-- Modal-Card Body Start -->
 		<section class="modal-card-body ">
 			<div class="node-card  mt-5 mb-5">
-				<div class="update-info-container  is-size-14px " v-html="markdownToHtml"></div>
+				<div class="update-info-container  is-size-14px " v-dompurify-html="markdownToHtml"></div>
 				<div class="mt-2rem">
 					<h3 class="title is-5 mb-2">{{ $t('Let more friends know') }}</h3>
 					<div class=" is-size-14px">{{ $t('Please share to friends who are concerned about family and data privacy to join and use CasaOS.') }}

diff --git a/main/src/components/settings/UpdateModal.vue b/main/src/components/settings/UpdateModal.vue
@@ -11,8 +11,8 @@
 		<!-- Modal-Card Body Start -->
 		<section class="modal-card-body ">
 			<div class="node-card fixed-height">
-				<div v-if="!isUpdating" class="update-info-container  is-size-14px" v-html="markdownToHtml"></div>
-				<div v-else class="update-info-container  is-size-14px" v-html="updateMarkdownHtml"></div>
+				<div v-if="!isUpdating" class="update-info-container  is-size-14px" v-dompurify-html="markdownToHtml"></div>
+				<div v-else class="update-info-container  is-size-14px" v-dompurify-html="updateMarkdownHtml"></div>
 			</div>
 		</section>
 		<!-- Modal-Card Body End -->

diff --git a/main/src/main.js b/main/src/main.js
@@ -1,23 +1,23 @@
 import 'intersection-observer'
-import Vue              from 'vue'
-import App              from '@/App.vue'
-import router           from '@/router'
-import store            from '@/store'
-import i18n             from '@/plugins/i18n'
-import api              from '@/service/api.js'
-import openAPI          from '@/service/index.js'
-import Buefy            from 'buefy'
-import VueFullscreen    from 'vue-fullscreen'
-import Vue2TouchEvents  from 'vue2-touch-events'
+import Vue from 'vue'
+import App from '@/App.vue'
+import router from '@/router'
+import store from '@/store'
+import i18n from '@/plugins/i18n'
+import api from '@/service/api.js'
+import openAPI from '@/service/index.js'
+import Buefy from 'buefy'
+import VueFullscreen from 'vue-fullscreen'
+import Vue2TouchEvents from 'vue2-touch-events'
 import VueSocialSharing from 'vue-social-sharing'
-import VueSocketIOExt   from 'vue-socket.io-extended';
-import messageBus       from '@/events/index.js'
-import xss from 'xss'; 
+import VueSocketIOExt from 'vue-socket.io-extended';
+import messageBus from '@/events/index.js'
+import VueDOMPurifyHTML from 'vue-dompurify-html'
 
 
 // Import Styles
 import '@/assets/scss/app.scss'
-import VAnimateCss      from 'v-animate-css';
+import VAnimateCss from 'v-animate-css';
 
 const io = require("socket.io-client");
 
@@ -39,10 +39,15 @@ const socket = io(wsURL, {
 
 Vue.use(Buefy)
 Vue.use(VueFullscreen)
-Vue.use(VAnimateCss, {animateCSSPath: '/css/animate.min.css'});
+Vue.use(VAnimateCss, { animateCSSPath: '/css/animate.min.css' });
 Vue.use(Vue2TouchEvents)
 Vue.use(VueSocketIOExt, socket);
 Vue.use(VueSocialSharing);
+Vue.use(VueDOMPurifyHTML, {
+	default: {
+		ALLOWED_ATTR: ['target', 'href']
+	}
+});
 
 Vue.config.productionTip = false
 Vue.prototype.$api = api;
@@ -51,7 +56,7 @@ Vue.prototype.$baseIp = baseIp;
 Vue.prototype.$baseURL = baseURL;
 Vue.prototype.$protocol = protocol;
 Vue.prototype.$wsProtocol = wsProtocol;
-Vue.prototype.xss = xss;
+
 
 // Create an EventBus
 Vue.prototype.$EventBus = new Vue();

diff --git a/main/vue.config.js b/main/vue.config.js
@@ -22,22 +22,6 @@ module.exports = {
 			.type("javascript/auto")
 			.include.add(/node_modules/)
 			.end();
-
-		config.module
-			.rule("vue")
-			.use("vue-loader")
-			.loader("vue-loader")
-			.tap(options => {
-				options.compilerOptions.directives = {
-					html(node, directiveMeta) {
-						(node.props || (node.props = [])).push({
-							name: "innerHTML",
-							value: `xss(_s(${directiveMeta.value}))`
-						});
-					}
-				};
-				return options;
-			});
 		const oneOfsMap = config.module.rule("scss").oneOfs.store;
 		oneOfsMap.forEach(item => {
 			item