jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
* fix: sanitize user-media svg api endpoint using isomorphic dompurify

* fix: add iframe sandbox to prevent priviledge escalation
This commit is contained in:
Manuel
2025-11-14 18:00:15 +01:00
committed by GitHub
parent d33cfe211a
commit aaa23f3732
5 changed files with 118 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
packages/widgets/src/iframe/component.tsx
View File

@@ -11,8 +11,9 @@ import classes from "./component.module.css";
export default function IFrameWidget({ options, isEditMode }: WidgetComponentProps<"iframe">) {
const t = useI18n();
const { embedUrl, ...permissions } = options;
const { embedUrl, allowScrolling, ...permissions } = options;
const allowedPermissions = getAllowedPermissions(permissions);
const sandboxFlags = getSandboxFlags(permissions);
if (embedUrl.trim() === "") return <NoUrl />;
if (!isSupportedProtocol(embedUrl)) {
@@ -27,7 +28,8 @@ export default function IFrameWidget({ options, isEditMode }: WidgetComponentPro
src={embedUrl}
title="widget iframe"
allow={allowedPermissions.join(" ")}
scrolling={options.allowScrolling ? "yes" : "no"}
scrolling={allowScrolling ? "yes" : "no"}
sandbox={sandboxFlags.join(" ")}
>
<Text>{t("widget.iframe.error.noBrowerSupport")}</Text>
</iframe>
@@ -80,6 +82,22 @@ const getAllowedPermissions = (
.map(([key]) => permissionMapping[key]);
};
const getSandboxFlags = (
permissions: Omit<WidgetComponentProps<"iframe">["options"], "embedUrl" | "allowScrolling">,
) => {
const baseSandbox = ["allow-scripts", "allow-same-origin", "allow-forms", "allow-popups"];
if (permissions.allowFullScreen) {
baseSandbox.push("allow-presentation");
}
if (permissions.allowPayment) {
baseSandbox.push("allow-popups-to-escape-sandbox");
}
return baseSandbox;
};
const permissionMapping = {
allowAutoPlay: "autoplay",
allowCamera: "camera",