kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-06-13 18:45:42 +00:00
Code Issues Projects Releases Wiki Activity
Files
b9be026df677ebd5fce77eb683efcc0f2e9a6b72
MagicMirror/defaultmodules/newsfeed/node_helper.js
Morgan McBee 6ab8104dda [newsfeed] add allowBasicHtmlTags option for basic emphasis (#4176) 
**Please make sure that you have followed these 3 rules before
submitting your Pull Request:**

> 1. Base your pull requests against the `develop` branch.
Done.
> 2. Include these infos in the description:
>
> - Does the pull request solve a **related** issue?
No
> - If so, can you reference the issue like this `Fixes
#<issue_number>`?
> - What does the pull request accomplish? Use a list if needed.
> - If it includes major visual changes please add screenshots.
>

Render a strict allowlist of basic formatting tags (b, strong, i, em, u)
in news titles and descriptions, while neutralizing all other HTML.

Feeds such as The Atlantic encode emphasis as entities (&lt;em&gt;),
which html-to-text decoded to a literal <em> string that the template
then auto-escaped, so the raw tag was shown on screen. The new opt-in
allowBasicHtmlTags option (default false) sanitizes both fields by
escaping everything and restoring only the exact, attribute-free
allowlisted tags, so the result is safe to render and arbitrary
HTML/script injection is impossible.

Adds unit tests for the sanitizer and an e2e test covering rendering and
an injection attempt.

Before screenshot: <img width="980" height="2726" alt="before"
src="https://github.com/user-attachments/assets/d1c871e1-21c5-44f9-ae40-da65c2c56f68"
/>
After screenshot: <img width="980" height="2726" alt="after"
src="https://github.com/user-attachments/assets/22d9e86b-221c-408e-a29b-718b0e98f236"
/>
> 3. Please run `node --run lint:prettier` before submitting so that
>    style issues are fixed.
Done

**Note**: Sometimes the development moves very fast. It is highly
recommended that you update your branch of `develop` before creating a
pull request to send us your changes. This makes everyone's lives
easier (including yours) and helps us out on the development team.

Thanks again and have a nice day!

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 05:40:53 -05:00

100 lines
3.3 KiB
JavaScript
Raw Blame History

const NodeHelper = require("node_helper");
const Log = require("logger");
const NewsfeedFetcher = require("./newsfeedfetcher");
module.exports = NodeHelper.create({
// Override start method.
start () {
Log.log(`Starting node helper for: ${this.name}`);
this.fetchers = [];
},
// Override socketNotificationReceived received.
socketNotificationReceived (notification, payload) {
if (notification === "ADD_FEED") {
this.createFetcher(payload.feed, payload.config);
} else if (notification === "CHECK_ARTICLE_URL") {
this.checkArticleUrl(payload.url);
}
},
/**
* Checks whether a URL can be displayed in an iframe by inspecting
* X-Frame-Options and Content-Security-Policy headers server-side.
* @param {string} url The article URL to check.
*/
async checkArticleUrl (url) {
try {
const response = await fetch(url, { method: "HEAD" });
const xfo = response.headers.get("x-frame-options");
const csp = response.headers.get("content-security-policy");
// sameorigin also blocks since the article is on a different origin than MM
const blockedByXFO = xfo && ["deny", "sameorigin"].includes(xfo.toLowerCase().trim());
const blockedByCSP = csp && (/frame-ancestors\s+['"]?none['"]?/).test(csp);
this.sendSocketNotification("ARTICLE_URL_STATUS", { url, canFrame: !blockedByXFO && !blockedByCSP });
} catch {
// Network error or HEAD not supported — let the browser try the iframe anyway
this.sendSocketNotification("ARTICLE_URL_STATUS", { url, canFrame: true });
}
},
/**
* Creates a fetcher for a new feed if it doesn't exist yet.
* Otherwise it reuses the existing one.
* @param {object} feed The feed object
* @param {object} config The configuration object
*/
createFetcher (feed, config) {
const url = feed.url || "";
const encoding = feed.encoding || "UTF-8";
const reloadInterval = feed.reloadInterval || config.reloadInterval || 5 * 60 * 1000;
const useCorsProxy = feed.useCorsProxy ?? true;
try {
new URL(url);
} catch (error) {
Log.error("Error: Malformed newsfeed url: ", url, error);
this.sendSocketNotification("NEWSFEED_ERROR", { error_type: "MODULE_ERROR_MALFORMED_URL" });
return;
}
let fetcher;
if (typeof this.fetchers[url] === "undefined") {
Log.log(`Create new newsfetcher for url: ${url} - Interval: ${reloadInterval}`);
fetcher = new NewsfeedFetcher(url, reloadInterval, encoding, config.logFeedWarnings, useCorsProxy, config.allowedBasicHtmlTags);
fetcher.onReceive(() => {
this.broadcastFeeds();
});
fetcher.onError((fetcher, errorInfo) => {
Log.error("Error: Could not fetch newsfeed: ", fetcher.url, errorInfo.message || errorInfo);
this.sendSocketNotification("NEWSFEED_ERROR", {
error_type: errorInfo.translationKey
});
});
this.fetchers[url] = fetcher;
} else {
Log.log(`Use existing newsfetcher for url: ${url}`);
fetcher = this.fetchers[url];
fetcher.setReloadInterval(reloadInterval);
fetcher.broadcastItems();
}
fetcher.startFetch();
},
/**
* Creates an object with all feed items of the different registered feeds,
* and broadcasts these using sendSocketNotification.
*/
broadcastFeeds () {
const feeds = {};
for (const url in this.fetchers) {
feeds[url] = this.fetchers[url].items;
}
this.sendSocketNotification("NEWS_ITEMS", feeds);
}
});
Reference in New Issue View Git Blame Copy Permalink