Skip to content

Commit

Permalink
feat: text input
Browse files Browse the repository at this point in the history
using `dompurify` to protect against XSS
  • Loading branch information
depatchedmode committed Feb 3, 2024
1 parent c3f7dbe commit abfcc1f
Show file tree
Hide file tree
Showing 10 changed files with 70 additions and 735 deletions.
5 changes: 4 additions & 1 deletion api/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import landingPage from '../src/landing-page';
import frames from '../src/frames';
import { parseRequest, objectToURLSearchParams } from '../modules/utils';
import buildButtons from '../modules/buildButtons';
import buildInputs from '../modules/buildInputs';
import getTargetFrame from '../modules/getTargetFrame';
import { validateMessage } from '../src/data/message';

Expand All @@ -16,6 +17,7 @@ export default async (req, context) => {
from = requestURL.searchParams.get('frame');
buttonId = payload.untrustedData?.buttonIndex;
isOriginal = isOriginalCast(payload.untrustedData.castId.hash);
payload.referringFrame = from;
payload.validData = await validateMessage(payload.trustedData.messageBytes);
}

Expand Down Expand Up @@ -58,7 +60,8 @@ const respondWithFrame = async (frameName, frameSrc, payload) => {

const frameContent = {
image: ``,
buttons: buildButtons(frameSrc.buttons),
buttons: frameSrc.buttons ? buildButtons(frameSrc.buttons) : [],
inputs: frameSrc.inputs ? buildInputs(frameSrc.inputs) : [],
postURL: `${host}?frame=${frameName}`
}

Expand Down
4 changes: 2 additions & 2 deletions modules/buildButtons.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
export default (buttons) => {
return buttons
.map((button, index) => {
let buttonMarkup = `<meta property="fc:frame:button:${index + 1}" content="${button.label}" />`;
let buttonMarkup = `<meta name="fc:frame:button:${index + 1}" content="${button.label}" />`;
if (button.url) {
buttonMarkup += `\n<meta property="fc:frame:button:${index + 1}:action" content="post_redirect" />`
buttonMarkup += `\n<meta name="fc:frame:button:${index + 1}:action" content="post_redirect" />`
}
return buttonMarkup;
})
Expand Down
12 changes: 12 additions & 0 deletions modules/buildInputs.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
import buildTextInput from "./buildTextInput";

export default (inputs) => {
return inputs
.map((input, index) => {
switch (input.type) {
case 'text':
return buildTextInput(input);
}
})
.join('\n');
}
3 changes: 3 additions & 0 deletions modules/buildTextInput.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
export default (input) => {
return `<meta name="fc:frame:input:text" content="${input.content}" />`;
}
13 changes: 13 additions & 0 deletions modules/safeDecode.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
import { JSDOM } from 'jsdom';
import DOMPurify from 'dompurify';

export default (inputText) => {
try {
const decodedInputText = atob(inputText);
const window = new JSDOM('').window;
const purify = DOMPurify(window);
return purify.sanitize(decodedInputText);
} catch {
throw new Error(`That ain't no encoded string mfr`)
}
}
Loading

0 comments on commit abfcc1f

Please sign in to comment.