Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions apps/gui/src/lib/components/layout/PageHeader.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import { clickToCopy } from "$utils/ux";
import { safeImageUrl } from "$utils/sanitize";
import { bannerStyleString } from "$utils/style-helpers";
import * as DOMPurify from "dompurify";
import DOMPurify from "dompurify";

export let title: string;
export let icon: string | undefined = undefined;
Expand All @@ -29,7 +29,7 @@
// sanitize via DOMPurify rather than dropping {@html} entirely. DOMPurify
// is already a dependency of apps/gui (used in $utils/notes.ts).
// sanitize() defaults strip script tags and event-handler attributes.
$: safeSubtitle = subtitle ? (DOMPurify as any).sanitize(subtitle) : '';
$: safeSubtitle = subtitle ? DOMPurify(subtitle) : '';

</script>
<header
Expand Down
11 changes: 2 additions & 9 deletions apps/gui/src/lib/utils/notes.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { marked, type MarkedOptions } from 'marked';
import * as DOMPurify from 'dompurify';
import DOMPurify from 'dompurify';
import { writable, get, type Writable } from 'svelte/store';
import { nip19 } from 'nostr-tools';
import type { UserService } from '$lib/services/UserService';
Expand Down Expand Up @@ -292,14 +292,7 @@ async function applyMarkdown(text: string, options: MarkedOptions): Promise<stri
* replace the default allowlist); ADD_TAGS / ADD_ATTR extend it.
*/
function applySanitize(text: string): string {
// DOMPurify's CommonJS shape: in some bundler setups DOMPurify is the
// default export; in others it's the module namespace. The current
// codebase uses `import * as DOMPurify` — the .sanitize is on the
// namespace OR on .default depending on bundler. Defensive lookup.
const purify =
// eslint-disable-next-line @typescript-eslint/no-explicit-any
(DOMPurify as any).sanitize ?? (DOMPurify as any).default?.sanitize;
return purify(text, {
return DOMPurify(text, {
ADD_TAGS: ['iframe'],
ADD_ATTR: ['allow', 'allowfullscreen', 'frameborder', 'scrolling', 'src'],
});
Expand Down