kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-06-13 22:36:09 +00:00
Code Issues Projects Releases Wiki Activity
Files
b9be026df677ebd5fce77eb683efcc0f2e9a6b72
MagicMirror/tests/mocks/newsfeed_basic_html.xml
Morgan McBee 6ab8104dda [newsfeed] add allowBasicHtmlTags option for basic emphasis (#4176) 
**Please make sure that you have followed these 3 rules before
submitting your Pull Request:**

> 1. Base your pull requests against the `develop` branch.
Done.
> 2. Include these infos in the description:
>
> - Does the pull request solve a **related** issue?
No
> - If so, can you reference the issue like this `Fixes
#<issue_number>`?
> - What does the pull request accomplish? Use a list if needed.
> - If it includes major visual changes please add screenshots.
>

Render a strict allowlist of basic formatting tags (b, strong, i, em, u)
in news titles and descriptions, while neutralizing all other HTML.

Feeds such as The Atlantic encode emphasis as entities (&lt;em&gt;),
which html-to-text decoded to a literal <em> string that the template
then auto-escaped, so the raw tag was shown on screen. The new opt-in
allowBasicHtmlTags option (default false) sanitizes both fields by
escaping everything and restoring only the exact, attribute-free
allowlisted tags, so the result is safe to render and arbitrary
HTML/script injection is impossible.

Adds unit tests for the sanitizer and an e2e test covering rendering and
an injection attempt.

Before screenshot: <img width="980" height="2726" alt="before"
src="https://github.com/user-attachments/assets/d1c871e1-21c5-44f9-ae40-da65c2c56f68"
/>
After screenshot: <img width="980" height="2726" alt="after"
src="https://github.com/user-attachments/assets/22d9e86b-221c-408e-a29b-718b0e98f236"
/>
> 3. Please run `node --run lint:prettier` before submitting so that
>    style issues are fixed.
Done

**Note**: Sometimes the development moves very fast. It is highly
recommended that you update your branch of `develop` before creating a
pull request to send us your changes. This makes everyone's lives
easier (including yours) and helps us out on the development team.

Thanks again and have a nice day!

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 05:40:53 -05:00

16 lines
711 B
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
<title>Formatting Feed</title>
<link>http://localhost:8080</link>
<description>Feed used to test the allowBasicHtmlTags option.</description>
<item>
<title>News &lt;em&gt;Flash&lt;/em&gt;</title>
<link>http://localhost:8080/article</link>
<pubDate>Tue, 20 Sep 2016 11:16:08 +0000</pubDate>
<guid isPermaLink="false">http://localhost:8080/?p=1</guid>
<description><![CDATA[<p><em>Italic</em> and <strong>Bold</strong> and <u>Underlined</u> text.</p><script>window.__newsfeedXss = true;</script><img src="x" onerror="window.__newsfeedXss = true">]]></description>
</item>
</channel>
</rss>
Reference in New Issue View Git Blame Copy Permalink