forked from mirror/misskey
fix(backend): happy-domで外部HTMLをパースする際に関連リソースが読み込まれる問題を修正 (#14521)
* bump happy-dom, disable all JS&c when parsing version 10 didn't quite support disabling all of that I have tested that `MfmService` (the other code that uses `happy-dom`) still works fine: the RSS feed for a user is generated correctly, with HTML rendered from MFM (cherry picked from commit 26e0412fbb91447c37e8fb06ffb0487346063bb8) * Update Changelog * lint * fix possible memory leak --------- Co-authored-by: dakkar <dakkar@thenautilus.net>
This commit is contained in:
parent
e0f54d6a68
commit
be0906a6c7
@ -13,6 +13,8 @@
|
|||||||
|
|
||||||
### Server
|
### Server
|
||||||
- Fix: ファイルがサイズの制限を超えてアップロードされた際にエラーを返さなかった問題を修正
|
- Fix: ファイルがサイズの制限を超えてアップロードされた際にエラーを返さなかった問題を修正
|
||||||
|
- Fix: 外部ページを解析する際に、ページに紐づけられた関連リソースも読み込まれてしまう問題を修正
|
||||||
|
(Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/commit/26e0412fbb91447c37e8fb06ffb0487346063bb8)
|
||||||
|
|
||||||
|
|
||||||
## 2024.8.0
|
## 2024.8.0
|
||||||
|
@ -119,7 +119,7 @@
|
|||||||
"fluent-ffmpeg": "2.1.3",
|
"fluent-ffmpeg": "2.1.3",
|
||||||
"form-data": "4.0.0",
|
"form-data": "4.0.0",
|
||||||
"got": "14.4.2",
|
"got": "14.4.2",
|
||||||
"happy-dom": "10.0.3",
|
"happy-dom": "15.6.1",
|
||||||
"hpagent": "1.2.0",
|
"hpagent": "1.2.0",
|
||||||
"htmlescape": "1.1.1",
|
"htmlescape": "1.1.1",
|
||||||
"http-link-header": "1.1.3",
|
"http-link-header": "1.1.3",
|
||||||
|
@ -207,16 +207,41 @@ export class ApRequestService {
|
|||||||
|
|
||||||
if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) {
|
if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) {
|
||||||
const html = await res.text();
|
const html = await res.text();
|
||||||
const window = new Window();
|
const window = new Window({
|
||||||
|
settings: {
|
||||||
|
disableJavaScriptEvaluation: true,
|
||||||
|
disableJavaScriptFileLoading: true,
|
||||||
|
disableCSSFileLoading: true,
|
||||||
|
disableComputedStyleRendering: true,
|
||||||
|
handleDisabledFileLoadingAsSuccess: true,
|
||||||
|
navigation: {
|
||||||
|
disableMainFrameNavigation: true,
|
||||||
|
disableChildFrameNavigation: true,
|
||||||
|
disableChildPageNavigation: true,
|
||||||
|
disableFallbackToSetURL: true,
|
||||||
|
},
|
||||||
|
timer: {
|
||||||
|
maxTimeout: 0,
|
||||||
|
maxIntervalTime: 0,
|
||||||
|
maxIntervalIterations: 0,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
});
|
||||||
const document = window.document;
|
const document = window.document;
|
||||||
document.documentElement.innerHTML = html;
|
try {
|
||||||
|
document.documentElement.innerHTML = html;
|
||||||
|
|
||||||
const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
|
const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
|
||||||
if (alternate) {
|
if (alternate) {
|
||||||
const href = alternate.getAttribute('href');
|
const href = alternate.getAttribute('href');
|
||||||
if (href) {
|
if (href) {
|
||||||
return await this.signedGet(href, user, false);
|
return await this.signedGet(href, user, false);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
} catch (e) {
|
||||||
|
// something went wrong parsing the HTML, ignore the whole thing
|
||||||
|
} finally {
|
||||||
|
window.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
//#endregion
|
//#endregion
|
||||||
|
14
pnpm-lock.yaml
generated
14
pnpm-lock.yaml
generated
@ -246,8 +246,8 @@ importers:
|
|||||||
specifier: 14.4.2
|
specifier: 14.4.2
|
||||||
version: 14.4.2
|
version: 14.4.2
|
||||||
happy-dom:
|
happy-dom:
|
||||||
specifier: 10.0.3
|
specifier: 15.6.1
|
||||||
version: 10.0.3
|
version: 15.6.1
|
||||||
hpagent:
|
hpagent:
|
||||||
specifier: 1.2.0
|
specifier: 1.2.0
|
||||||
version: 1.2.0
|
version: 1.2.0
|
||||||
@ -7782,6 +7782,10 @@ packages:
|
|||||||
happy-dom@10.0.3:
|
happy-dom@10.0.3:
|
||||||
resolution: {integrity: sha512-WkCP+Z5fX6U5PY+yHP3ElV5D9PoxRAHRWPFq3pG9rg/6Hjf5ak7dozAgSCywsTRUq2qfa8vV8OQvUy5pRXy8EQ==}
|
resolution: {integrity: sha512-WkCP+Z5fX6U5PY+yHP3ElV5D9PoxRAHRWPFq3pG9rg/6Hjf5ak7dozAgSCywsTRUq2qfa8vV8OQvUy5pRXy8EQ==}
|
||||||
|
|
||||||
|
happy-dom@15.6.1:
|
||||||
|
resolution: {integrity: sha512-dsMHLsJHZYhXeExP47B2siAfKNVxptlwFss3/bq/9sG3iBt0P2WYFBq68JgMR5vB5gsN2Ev0feTTPD/+rosUNQ==}
|
||||||
|
engines: {node: '>=18.0.0'}
|
||||||
|
|
||||||
har-schema@2.0.0:
|
har-schema@2.0.0:
|
||||||
resolution: {integrity: sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==}
|
resolution: {integrity: sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==}
|
||||||
engines: {node: '>=4'}
|
engines: {node: '>=4'}
|
||||||
@ -20289,6 +20293,12 @@ snapshots:
|
|||||||
whatwg-encoding: 2.0.0
|
whatwg-encoding: 2.0.0
|
||||||
whatwg-mimetype: 3.0.0
|
whatwg-mimetype: 3.0.0
|
||||||
|
|
||||||
|
happy-dom@15.6.1:
|
||||||
|
dependencies:
|
||||||
|
entities: 4.5.0
|
||||||
|
webidl-conversions: 7.0.0
|
||||||
|
whatwg-mimetype: 3.0.0
|
||||||
|
|
||||||
har-schema@2.0.0: {}
|
har-schema@2.0.0: {}
|
||||||
|
|
||||||
har-validator@5.1.5:
|
har-validator@5.1.5:
|
||||||
|
Loading…
Reference in New Issue
Block a user