Change sanitize-html back to the upstream module

This commit is contained in:
Calvin Montgomery 2017-03-03 23:51:47 -08:00
parent a56f0d5b10
commit d65cf1beef
3 changed files with 13 additions and 4 deletions

11
NEWS.md
View File

@ -1,3 +1,14 @@
2017-03-03
==========
The dependency on `sanitize-html`, which previously pointed to a fork, has now
been switched back to the upstream module. XSS filtering has been turned off
for the chat filter replacement itself (since this provides no additional
security), and is now only run on the final chat message after filtering.
Certain chat filters and MOTDs which relied on syntactically incorrect HTML,
such as unclosed tags, may have different behavior now, since `sanitize-html`
fixes these.
2016-11-02 2016-11-02
========== ==========

View File

@ -2,7 +2,7 @@
"author": "Calvin Montgomery", "author": "Calvin Montgomery",
"name": "CyTube", "name": "CyTube",
"description": "Online media synchronizer and chat", "description": "Online media synchronizer and chat",
"version": "3.30.4", "version": "3.31.0",
"repository": { "repository": {
"url": "http://github.com/calzoneman/sync" "url": "http://github.com/calzoneman/sync"
}, },
@ -38,7 +38,7 @@
"pug": "^2.0.0-beta3", "pug": "^2.0.0-beta3",
"q": "^1.4.1", "q": "^1.4.1",
"redis": "^2.4.2", "redis": "^2.4.2",
"sanitize-html": "git://github.com/calzoneman/sanitize-html", "sanitize-html": "^1.14.1",
"serve-static": "^1.10.0", "serve-static": "^1.10.0",
"socket.io": "^1.4.0", "socket.io": "^1.4.0",
"socket.io-redis": "^1.0.0", "socket.io-redis": "^1.0.0",

View File

@ -1,6 +1,5 @@
var FilterList = require("cytubefilters"); var FilterList = require("cytubefilters");
var ChannelModule = require("./module"); var ChannelModule = require("./module");
var XSS = require("../xss");
var Logger = require("../logger"); var Logger = require("../logger");
/* /*
@ -22,7 +21,6 @@ function validateFilter(f) {
} }
f.replace = fixReplace(f.replace.substring(0, 1000)); f.replace = fixReplace(f.replace.substring(0, 1000));
f.replace = XSS.sanitizeHTML(f.replace);
f.flags = f.flags.substring(0, 4); f.flags = f.flags.substring(0, 4);
try { try {