From 60b24654f9be0faee83728edb6d7d5aa4e7dfe72 Mon Sep 17 00:00:00 2001
From: gtsp233 <149294029+gtsp233@users.noreply.github.com>
Date: Sun, 29 Oct 2023 08:37:42 +0000
Subject: [PATCH] fix: sanitize html
---
client/package.json | 1 +
client/src/components/Blog/Blog.jsx | 3 ++-
server/package.json | 3 ++-
server/routes/user.js | 8 ++++++--
4 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/client/package.json b/client/package.json
index efe9470..1447419 100644
--- a/client/package.json
+++ b/client/package.json
@@ -10,6 +10,7 @@
"@testing-library/user-event": "^13.5.0",
"axios": "^0.25.0",
"bootstrap": "^5.1.3",
+ "dompurify": "^3.0.6",
"react": "^17.0.2",
"react-bootstrap": "^2.1.1",
"react-copy-to-clipboard": "^5.0.4",
diff --git a/client/src/components/Blog/Blog.jsx b/client/src/components/Blog/Blog.jsx
index d741ac5..e479e78 100644
--- a/client/src/components/Blog/Blog.jsx
+++ b/client/src/components/Blog/Blog.jsx
@@ -10,6 +10,7 @@ import axios from "axios";
import NavBar from "../NavBar/NavBar";
import Footer from "../Footer/Footer";
import "./Blog.css";
+import DOMPurify from 'dompurify';
export default function Blog() {
const { id } = useParams();
@@ -180,7 +181,7 @@ export default function Blog() {
{blog.title}
diff --git a/server/package.json b/server/package.json
index a0fbf80..b5ecd64 100644
--- a/server/package.json
+++ b/server/package.json
@@ -22,6 +22,7 @@
"express": "^4.17.2",
"jsonwebtoken": "^8.5.1",
"mongoose": "^6.1.8",
- "multer": "^1.4.4"
+ "multer": "^1.4.4",
+ "sanitize-html": "^2.11.0"
}
}
diff --git a/server/routes/user.js b/server/routes/user.js
index 9ac57c4..b57236b 100644
--- a/server/routes/user.js
+++ b/server/routes/user.js
@@ -5,6 +5,7 @@ const multer = require("multer");
const cloudinary = require("cloudinary").v2;
const User = require("../models/user.model");
const Blog = require("../models/blog.model");
+const sanitizeHtml = require('sanitize-html');
const { CLOUD_NAME, API_KEY, API_SECRET } = process.env;
@@ -129,6 +130,9 @@ Router.post("/post/comment/:id", async (req, res) => {
Router.post("/create", upload.single("image"), async (req, res) => {
const { title, content, date, token } = req.body;
+ const sanitizedTitle = sanitizeHtml(title);
+ const sanitizedContent = sanitizeHtml(content);
+
if (req.file) {
cloudinary.uploader.upload(
req.file.path,
@@ -148,8 +152,8 @@ Router.post("/create", upload.single("image"), async (req, res) => {
return res.status(404).send({ error: "User not found" });
}
const blog = new Blog({
- title,
- content,
+ title: sanitizedTitle,
+ content: sanitizedContent,
image,
cloudinaryId,
author: user.name,