Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
32 lines
695 B
JavaScript
32 lines
695 B
JavaScript
import { marked } from 'marked'
|
|
import DOMPurify from 'isomorphic-dompurify'
|
|
|
|
const ALLOWED_TAGS = [
|
|
'a', 'strong', 'em', 'b', 'i', 'u',
|
|
'ul', 'ol', 'li', 'p', 'br',
|
|
'code', 'pre', 'blockquote',
|
|
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
|
|
'hr', 'table', 'thead', 'tbody', 'tr', 'th', 'td',
|
|
'del', 'sup', 'sub'
|
|
]
|
|
|
|
const ALLOWED_ATTR = ['href', 'target', 'rel', 'class']
|
|
|
|
export const useMarkdown = () => {
|
|
const render = (markdown) => {
|
|
if (!markdown) return ''
|
|
const raw = marked(markdown, {
|
|
breaks: true,
|
|
gfm: true
|
|
})
|
|
return DOMPurify.sanitize(raw, {
|
|
ALLOWED_TAGS,
|
|
ALLOWED_ATTR,
|
|
ALLOW_DATA_ATTR: false
|
|
})
|
|
}
|
|
|
|
return {
|
|
render
|
|
}
|
|
}
|