diff --git a/bun.lock b/bun.lock index fb32bd8..9497682 100644 --- a/bun.lock +++ b/bun.lock @@ -4,6 +4,9 @@ "workspaces": { "": { "name": "myanimelist-ui", + "dependencies": { + "dompurify": "^3.4.1", + }, "devDependencies": { "@tailwindcss/cli": "^4.2.3", "@toolwind/anchors": "^1.0.10", @@ -84,8 +87,12 @@ "@toolwind/anchors": ["@toolwind/anchors@1.0.10", "", { "peerDependencies": { "tailwindcss": ">=3.0.0 || >=4.0.0" } }, "sha512-F3J/lxGGPUy+GIpT49NmYMF1X7l0d7UzdDASni29il2ro5sT4cYfPBFHBAfOM0lpgKOr/HnqINlomngt8BcvnA=="], + "@types/trusted-types": ["@types/trusted-types@2.0.7", "", {}, "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw=="], + "detect-libc": ["detect-libc@2.1.2", "", {}, "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ=="], + "dompurify": ["dompurify@3.4.1", "", { "optionalDependencies": { "@types/trusted-types": "^2.0.7" } }, "sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw=="], + "enhanced-resolve": ["enhanced-resolve@5.20.1", "", { "dependencies": { "graceful-fs": "^4.2.4", "tapable": "^2.3.0" } }, "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA=="], "graceful-fs": ["graceful-fs@4.2.11", "", {}, "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="], diff --git a/package.json b/package.json index 6106e80..fb7d61f 100644 --- a/package.json +++ b/package.json @@ -14,5 +14,8 @@ "lefthook": "^2.1.6", "tailwindcss": "^4.2.3", "typescript": "^6.0.3" + }, + "dependencies": { + "dompurify": "^3.4.1" } } diff --git a/static/player.ts b/static/player.ts index da184f3..7b8cc1f 100644 --- a/static/player.ts +++ b/static/player.ts @@ -4,6 +4,8 @@ declare const htmx: { export {} +import DOMPurify from 'dompurify' + interface ModeSource { token: string subtitles: SubtitleItem[] @@ -954,7 +956,7 @@ const loadNextEpisodeInPlace = async (animeID: number, nextEpisode: number): Pro const html = await res.text() const wrapper = document.createElement('span') wrapper.id = 'watch-status-dropdown' - wrapper.innerHTML = html + wrapper.innerHTML = DOMPurify.sanitize(html) watchStatusDropdown.replaceWith(wrapper) }).catch(() => {}) }