From 005aa2d6157a34049bf45641c06861d606a85edb Mon Sep 17 00:00:00 2001 From: Huang Xin Date: Wed, 24 Jun 2026 22:01:18 +0800 Subject: [PATCH] fix(security): iframe srcdoc atrribute can lead to arbitrary code execution (#4762) --- apps/readest-app/src/services/transformers/sanitizer.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/readest-app/src/services/transformers/sanitizer.ts b/apps/readest-app/src/services/transformers/sanitizer.ts index 27637f04..56fbf82d 100644 --- a/apps/readest-app/src/services/transformers/sanitizer.ts +++ b/apps/readest-app/src/services/transformers/sanitizer.ts @@ -17,7 +17,8 @@ export const sanitizerTransformer: Transformer = { const sanitized = DOMPurify.sanitize(result, { WHOLE_DOCUMENT: true, - FORBID_TAGS: ['script'], + FORBID_TAGS: ['script', 'iframe', 'object', 'embed'], + FORBID_ATTR: ['srcdoc'], ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|blob|data):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i, ADD_TAGS: ['link', 'meta'],