fix: don't allow unnecessary attributes in profile bio

2025-09-16 11:34:09 +05:30
parent e16cecd149
commit ed162e2546
6 changed files with 46 additions and 4 deletions
--- a/frontend/src/components/Modals/EditProfile.vue
+++ b/frontend/src/components/Modals/EditProfile.vue
@@ -97,7 +97,8 @@ import {
 } from 'frappe-ui'
 import { reactive, watch } from 'vue'
 import { FileText, X } from 'lucide-vue-next'
-import { getFileSize } from '@/utils'
+import { getFileSize, decodeEntities } from '@/utils'
+import DOMPurify from 'dompurify'

 const reloadProfile = defineModel('reloadProfile')

@@ -147,6 +148,22 @@ const updateProfile = createResource({
 })

 const saveProfile = (close) => {
+	profile.bio = DOMPurify.sanitize(decodeEntities(profile.bio), {
+		ALLOWED_TAGS: [
+			'b',
+			'i',
+			'em',
+			'strong',
+			'a',
+			'p',
+			'br',
+			'ul',
+			'ol',
+			'li',
+			'img',
+		],
+		ALLOWED_ATTR: ['href', 'target', 'src'],
+	})
 	updateProfile.submit(
 		{},
 		{