fix: fixed markdown related high risk bugs

fix: https://github.com/koreanbots/v2-testing/issues/29 fix: https://github.com/koreanbots/v2-testing/issues/31
2025-12-16 14:30:22 +00:00 · 2021-01-17 10:32:29 +09:00 · 2021-01-17 10:32:29 +09:00 · 0db9c69ff7
commit 0db9c69ff7
parent 22990663b9
3 changed files with 15 additions and 5 deletions
--- a/pages/_document.tsx
+++ b/pages/_document.tsx
@ -28,7 +28,7 @@ class MyDocument extends Document {
 						}}
 					/>
 				</Head>
-				<body className='h-full text-black dark:text-gray-100 dark:bg-discord-dark bg-white'>
+				<body className='h-full overflow-x-hidden text-black dark:text-gray-100 dark:bg-discord-dark bg-white'>
 					<Main />
 					<NextScript />
 				</body>
--- a/pages/bots/[id].tsx
+++ b/pages/bots/[id].tsx
@ -33,7 +33,7 @@ const Bots: NextPage<BotsProps> = ({ data, date }) => {
 						: `https://cdn.discordapp.com/embed/avatars/${Number(data.tag) % 5}.png?size=1024`
 				}
 			/>
-			<div className='lg:flex'>
+			<div className='lg:flex w-full'>
 				<div className='w-full text-center lg:w-1/4'>
 					<DiscordAvatar
 						userID={data.id}
@ -42,7 +42,7 @@ const Bots: NextPage<BotsProps> = ({ data, date }) => {
 						className='w-full'
 					/>
 				</div>
-				<div className='flex-grow px-5 py-12 w-full text-center lg:w-5/12 lg:text-left'>
+				<div className='flex-grow px-5 py-12 w-full text-center lg:w-5/12 lg:text-left w-full'>
 					<div>
 						<Tag
 							circular
--- a/pages/debug.tsx
+++ b/pages/debug.tsx
@ -79,8 +79,18 @@ https://github.com/koreanbots
 				</div>
 				<div className='w-full lg:w-1/2 p-10 markdown-body'>
 					<MarkdownView markdown={ formik.values.markdown } extensions={[ anchorHeader ]} options={{ openLinksInNewWindow: true, underline: true, emoji: true, omitExtraWLInCodeBlocks: true, literalMidWordUnderscores: true, simplifiedAutoLink: true, tables: true, strikethrough: true, smoothLivePreview: true, tasklists: true, ghCompatibleHeaderId: true, encodeEmails: true }} sanitizeHtml={(html)=> sanitizeHtml(html, {
-						allowedTags: false,
-						allowedAttributes: false
+						allowedTags: [
+							'addr', 'address', 'article', 'aside', 'h1', 'h2', 'h3', 'h4',
+							'h5', 'h6', 'section', 'blockquote', 'dd', 'div',
+							'dl', 'dt', 'hr', 'li', 'ol', 'p', 'pre',
+							'ul', 'a', 'abbr', 'b', 'bdi', 'bdo', 'br', 'cite', 'code', 'data', 'dfn',
+							'em', 'i', 'kbd', 'mark', 'q', 'rb', 'rp', 'rt', 'rtc', 'ruby', 's', 'samp',
+							'small', 'span', 'strong', 'sub', 'sup', 'time', 'u', 'var', 'wbr', 'caption',
+							'col', 'colgroup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'del',
+							'img', 'svg', 'input'
+						],
+						allowedAttributes: false,
+						disallowedTagsMode: 'escape'
 					})} />
 				</div>
 			</div>