Skip to content

Commit

Permalink
Merge branch 'fix-critical-dependencies-security-audit' into 'develop'
Browse files Browse the repository at this point in the history
Fix critical dependencies security audit

See merge request hive/condenser!412
  • Loading branch information
Gandalf-the-Grey committed May 17, 2024
2 parents 70b0eb8 + 109bc48 commit 6142cb6
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 43 deletions.
7 changes: 4 additions & 3 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"@testing-library/jest-dom": "^5.16.4",
"@testing-library/react": "^13.2.0",
"@testing-library/user-event": "^14.1.1",
"@xmldom/xmldom": "^0.7.0",
"assert": "1.4.1",
"autoprefixer": "^9.6.1",
"axios": "^0.27.2",
Expand Down Expand Up @@ -167,8 +168,7 @@
"vm-browserify": "^1.1.2",
"webpack-cli": "^4.9.2",
"webpack-isomorphic-tools": "^4.0.0",
"whatwg-fetch": "^3.6.2",
"xmldom": "~0.5.0"
"whatwg-fetch": "^3.6.2"
},
"devDependencies": {
"@babel/cli": "^7.0.0",
Expand Down Expand Up @@ -282,7 +282,8 @@
"lodash": "4.17.21",
"minimist": "1.2.6",
"request": "2.88.2",
"node-fetch": "2.6.7"
"node-fetch": "2.6.7",
"crypto-js": "^4.2.0"
},
"volta": {
"node": "18.14.0",
Expand Down
36 changes: 22 additions & 14 deletions src/shared/HtmlReady.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import xmldom from 'xmldom';
import xmldom from '@xmldom/xmldom';
import tt from 'counterpart';
import hljs from 'highlight.js/lib/common';
import linksRe, { any as linksAny } from 'app/utils/Links';
Expand Down Expand Up @@ -97,7 +97,10 @@ export default function (html, { mutate = true, hideImages = false, lightbox = f
const pre = doc.createElement('pre');
pre.setAttribute('class', 'image-url-only');
pre.appendChild(doc.createTextNode(image.getAttribute('src')));
image.parentNode.replaceChild(pre, image);

const imageParent = image.parentNode;
imageParent.appendChild(pre);
imageParent.removeChild(image);
}
} else {
proxifyImages(doc, state);
Expand Down Expand Up @@ -139,7 +142,9 @@ function traverseForCodeHighlight(node, depth = 0) {
if (tag === 'code' && child.textContent.match(/\n/)) {
const highlightedContent = hljs.highlightAuto(child.textContent).value;

child.parentNode.replaceChild(DOMParser.parseFromString(`<code>${highlightedContent}</code>`), child);
const parentNode = child.parentNode;
parentNode.appendChild(DOMParser.parseFromString(`<code>${highlightedContent}</code>`));
parentNode.removeChild(child);
}

traverseForCodeHighlight(child, depth + 1);
Expand Down Expand Up @@ -181,7 +186,9 @@ function link(state, child) {
phishyDiv.textContent = `${child.textContent} / ${url}`;
phishyDiv.setAttribute('title', getPhishingWarningMessage());
phishyDiv.setAttribute('class', 'phishy');
child.parentNode.replaceChild(phishyDiv, child);
const parentNode = child.parentNode;
parentNode.appendChild(phishyDiv);
parentNode.removeChild(child);
}
}
}
Expand Down Expand Up @@ -261,15 +268,14 @@ function proxifyImages(doc, state) {
const proxifiedImageUrl = proxifyImageUrl(url, true);

if (state.lightbox && process.env.BROWSER) {
node.parentNode.replaceChild(
DOMParser.parseFromString(`<a href="${getDoubleSize(proxifyImageUrl(url, true))}">
<img
src="${proxifiedImageUrl}"
alt="${alt}"
/>
</a>`),
node
);
const parentNode = node.parentNode;
parentNode.appendChild(DOMParser.parseFromString(`<a href="${getDoubleSize(proxifyImageUrl(url, true))}">
<img
src="${proxifiedImageUrl}"
alt="${alt}"
/>
</a>`));
parentNode.removeChild(node);
} else {
node.setAttribute('src', proxifiedImageUrl);
}
Expand All @@ -292,7 +298,9 @@ function linkifyNode(child, state) {
const content = linkify(data, state.mutate, state.hashtags, state.usertags, state.images, state.links);
if (mutate && content !== data) {
const newChild = DOMParser.parseFromString(`<span>${content}</span>`);
child.parentNode.replaceChild(newChild, child);
const parentNode = child.parentNode;
parentNode.appendChild(newChild);
parentNode.removeChild(child);
// eslint-disable-next-line consistent-return
return newChild;
}
Expand Down
14 changes: 0 additions & 14 deletions src/shared/HtmlReady.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -202,18 +202,4 @@ describe('htmlready', () => {
const res = HtmlReady(testString).html;
expect(res).toEqual(htmlified);
});

it('should not omit text on same line as dtube link', () => {
const testString = '<html><p>before text https://d.tube/#!/v/tibfox/mvh7g26e after text</p></html>';
const htmlified = '<html xmlns="http://www.w3.org/1999/xhtml"><p dir="auto">before text ~~~ embed:tibfox/mvh7g26e dtube ~~~ after text</p></html>';
const res = HtmlReady(testString).html;
expect(res).toEqual(htmlified);
});

it('should handle dtube embed', () => {
const testString = '<html><iframe width="560" height="315" src="https://emb.d.tube/#!/dbroze/8lsh5nf7" frameborder="0" allowfullscreen></iframe></html>';
const htmlified = '<html xmlns="http://www.w3.org/1999/xhtml"><div class="iframeWrapper"><iframe width="560" height="315" src="https://emb.d.tube/#!/dbroze/8lsh5nf7" frameborder="0" allowfullscreen="allowfullscreen" xmlns="http://www.w3.org/1999/xhtml"></iframe></div></html>';
const res = HtmlReady(testString).html;
expect(res).toEqual(htmlified);
});
});
24 changes: 12 additions & 12 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -3737,6 +3737,11 @@
object.fromentries "^2.0.0"
prop-types "^15.7.0"

"@xmldom/xmldom@^0.7.0":
version "0.7.13"
resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.7.13.tgz#ff34942667a4e19a9f4a0996a76814daac364cf3"
integrity sha512-lm2GW5PkosIzccsaZIz7tp8cPADSIlIHWDFTR1N0SzfinhhYgeIQjFMz4rYzanCScr3DqQLeomUDArp6MWKm+g==

"@xobotyi/scrollbar-width@^1.9.5":
version "1.9.5"
resolved "https://registry.yarnpkg.com/@xobotyi/scrollbar-width/-/scrollbar-width-1.9.5.tgz#80224a6919272f405b87913ca13b92929bdf3c4d"
Expand Down Expand Up @@ -5288,9 +5293,9 @@ camelcase@^6.2.0:
integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==

caniuse-lite@^1.0.30001109, caniuse-lite@^1.0.30001449:
version "1.0.30001450"
resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001450.tgz#022225b91200589196b814b51b1bbe45144cf74f"
integrity sha512-qMBmvmQmFXaSxexkjjfMvD5rnDL0+m+dUMZKoDYsGG8iZN29RuYh9eRoMvKsT6uMAWlyUUGDEQGJJYjzCIO9ew==
version "1.0.30001617"
resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001617.tgz"
integrity sha512-mLyjzNI9I+Pix8zwcrpxEbGlfqOkF9kM3ptzmKNw5tizSyYwMe+nGLTqMK9cO+0E+Bh6TsBxNAaHWEM8xwSsmA==

capture-exit@^2.0.0:
version "2.0.0"
Expand Down Expand Up @@ -6090,10 +6095,10 @@ crypto-browserify@^3.11.0, crypto-browserify@^3.12.0:
randombytes "^2.0.0"
randomfill "^1.0.3"

crypto-js@^4.1.1:
version "4.1.1"
resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.1.1.tgz#9e485bcf03521041bd85844786b83fb7619736cf"
integrity sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==
crypto-js@^4.1.1, crypto-js@^4.2.0:
version "4.2.0"
resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.2.0.tgz#4d931639ecdfd12ff80e8186dba6af2c2e856631"
integrity sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==

csrf@^3.1.0:
version "3.1.0"
Expand Down Expand Up @@ -16872,11 +16877,6 @@ xmlchars@^2.2.0:
resolved "https://registry.yarnpkg.com/xmlchars/-/xmlchars-2.2.0.tgz#060fe1bcb7f9c76fe2a17db86a9bc3ab894210cb"
integrity sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==

xmldom@~0.5.0:
version "0.5.0"
resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.5.0.tgz#193cb96b84aa3486127ea6272c4596354cb4962e"
integrity sha512-Foaj5FXVzgn7xFzsKeNIde9g6aFBxTPi37iwsno8QvApmtg7KYrr+OPyRHcJF7dud2a5nGRBXK3n0dL62Gf7PA==

xregexp@^4.3.0:
version "4.4.1"
resolved "https://registry.yarnpkg.com/xregexp/-/xregexp-4.4.1.tgz#c84a88fa79e9ab18ca543959712094492185fe65"
Expand Down

0 comments on commit 6142cb6

Please sign in to comment.