Issue #213: Content sanitization

This commits add sanitization using for comments summary and content using DOMPurify. To test it, I faked the response of `/api/comments/byepisodeid` with a hard coded json file containing in the content of comments some examples from the section "Some purification samples please?". References: - https://www.npmjs.com/package/dompurify
Podcastindex-org · Feb 11, 2023 · 07207d2 · 07207d2
1 parent f2037c2
commit 07207d2
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -7,6 +7,7 @@
     "private": true,
     "dependencies": {
         "@hcaptcha/react-hcaptcha": "^0.3.9",
+        "@types/dompurify": "^2.4.0",
         "@types/history": "^4.7.5",
         "@types/react": "^16.9.20",
         "@types/react-dom": "^16.9.5",
@@ -19,6 +20,7 @@
         "canvas-confetti": "^1.5.1",
         "connected-react-router": "^6.7.0",
         "crypto-js": "^4.0.0",
+        "dompurify": "^2.4.3",
         "dotenv": "^8.2.0",
         "express": "^4.17.1",
         "history": "^4.10.1",

diff --git a/ui/src/components/Comments/index.tsx b/ui/src/components/Comments/index.tsx
@@ -1,4 +1,5 @@
 import * as React from 'react'
+import DOMPurify from 'dompurify'
 
 import './styles.scss'
 
@@ -140,8 +141,8 @@ export default class Comments extends React.PureComponent<IProps, IState> {
         }
 
         if(node.comment) {
-            const summary = Comments.resolveLanguageTaggedValues(node.comment.summary);
-            const content = Comments.resolveLanguageTaggedValues(node.comment.content); 
+            const summary = node.comment.summary && DOMPurify.sanitize(Comments.resolveLanguageTaggedValues(node.comment.summary));
+            const content = node.comment.content && DOMPurify.sanitize(Comments.resolveLanguageTaggedValues(node.comment.content));
 
             stateComment = {
                 ...stateComment,