oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-07-17 17:08:36 +00:00
Code Wiki Activity

Allow images with data URLs

Browse source 
Only URLs with a mime-type image/* are allowed
This commit is contained in:
Frédéric Guillot 2021-02-06 14:33:28 -08:00 committed by fguillot
parent 9a9a271b1f
commit 864dd9f219
4 changed files with 34 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

23
reader/sanitizer/sanitizer.go
View file

@ -111,7 +111,7 @@ func sanitizeAttributes(baseURL, tagName string, attributes []html.Attribute) ([
} else {
continue
}
} else if tagName == "img" && attribute.Key == "src" && strings.HasPrefix(attribute.Val, "data:") {
} else if tagName == "img" && attribute.Key == "src" && isValidDataAttribute(attribute.Val) {
value = attribute.Val
} else {
value, err = url.AbsoluteURL(baseURL, value)
@ -480,3 +480,24 @@ func isValidWidthOrDensityDescriptor(value string) bool {
_, err := strconv.ParseFloat(value[0:len(value)-1], 32)
return err == nil
}
func isValidDataAttribute(value string) bool {
var dataAttributeAllowList = []string{
"data:image/avif",
"data:image/apng",
"data:image/png",
"data:image/svg",
"data:image/svg+xml",
"data:image/jpg",
"data:image/jpeg",
"data:image/gif",
"data:image/webp",
}
for _, prefix := range dataAttributeAllowList {
if strings.HasPrefix(value, prefix) {
return true
}
}
return false
}