mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-06-13 22:56:18 +00:00
6ab8104dda
**Please make sure that you have followed these 3 rules before submitting your Pull Request:** > 1. Base your pull requests against the `develop` branch. Done. > 2. Include these infos in the description: > > - Does the pull request solve a **related** issue? No > - If so, can you reference the issue like this `Fixes #<issue_number>`? > - What does the pull request accomplish? Use a list if needed. > - If it includes major visual changes please add screenshots. > Render a strict allowlist of basic formatting tags (b, strong, i, em, u) in news titles and descriptions, while neutralizing all other HTML. Feeds such as The Atlantic encode emphasis as entities (<em>), which html-to-text decoded to a literal <em> string that the template then auto-escaped, so the raw tag was shown on screen. The new opt-in allowBasicHtmlTags option (default false) sanitizes both fields by escaping everything and restoring only the exact, attribute-free allowlisted tags, so the result is safe to render and arbitrary HTML/script injection is impossible. Adds unit tests for the sanitizer and an e2e test covering rendering and an injection attempt. Before screenshot: <img width="980" height="2726" alt="before" src="https://github.com/user-attachments/assets/d1c871e1-21c5-44f9-ae40-da65c2c56f68" /> After screenshot: <img width="980" height="2726" alt="after" src="https://github.com/user-attachments/assets/22d9e86b-221c-408e-a29b-718b0e98f236" /> > 3. Please run `node --run lint:prettier` before submitting so that > style issues are fixed. Done **Note**: Sometimes the development moves very fast. It is highly recommended that you update your branch of `develop` before creating a pull request to send us your changes. This makes everyone's lives easier (including yours) and helps us out on the development team. Thanks again and have a nice day! --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>