[PORT] Allows admins to skip some paper sanitization (#10832)

* Cool papers * Tbh Idk if sanitize is needed in this 3 thignies but not my call
BeeStation · Jul 14, 2024 · d8ec343 · d8ec343
1 parent 62f4676
commit d8ec343
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 13 deletions.
diff --git a/code/modules/admin/admin_fax_panel.dm b/code/modules/admin/admin_fax_panel.dm
@@ -124,7 +124,7 @@
 					break
 
 			fax_paper.name = "paper — [default_paper_name]"
-			fax_paper.add_raw_text(params["rawText"])
+			fax_paper.add_raw_text(params["rawText"], advanced_html = TRUE)
 
 			if(stamp)
 				fax_paper.add_stamp(stamp_class, params["stampX"], params["stampY"], params["stampAngle"], stamp)

diff --git a/code/modules/paperwork/paper.dm b/code/modules/paperwork/paper.dm
@@ -162,14 +162,16 @@
  * * text - The text to append to the paper.
  * * font - The font to use.
  * * color - The font color to use.
- * * bold - Whether this text should be rendered completely bold.
+ * * bold - Whether this text should be rendered completely bold
+ * * advanced_html - Boolean that is true when the writer has R_FUN permission, which sanitizes less HTML (such as images) from the new paper_input.
  */
-/obj/item/paper/proc/add_raw_text(text, font, color, bold)
+/obj/item/paper/proc/add_raw_text(text, font, color, bold, advanced_html)
 	var/new_input_datum = new /datum/paper_input(
 		text,
 		font,
 		color,
 		bold,
+		advanced_html,
 	)
 
 	input_field_count += get_input_field_count(text)
@@ -569,7 +571,7 @@
 			// Safe to assume there are writing implement details as user.can_write(...) fails with an invalid writing implement.
 			var/writing_implement_data = holding.get_writing_implement_details()
 
-			add_raw_text(paper_input, writing_implement_data["font"], writing_implement_data["color"], writing_implement_data["use_bold"])
+			add_raw_text(paper_input, writing_implement_data["font"], writing_implement_data["color"], writing_implement_data["use_bold"], check_rights_for(user?.client, R_FUN))
 
 			log_paper("[key_name(user)] wrote to [name]: \"[paper_input]\"")
 			to_chat(user, "You have added to your paper masterpiece!");
@@ -653,22 +655,26 @@
 	var/colour = ""
 	/// Whether to render the font bold or not.
 	var/bold = FALSE
+	/// Whether the creator has R_FUN permission, which allows for less sanitised HTML.
+	var/advanced_html = FALSE
 
-/datum/paper_input/New(_raw_text, _font, _colour, _bold)
+/datum/paper_input/New(_raw_text, _font, _colour, _bold, _advanced_html)
 	raw_text = _raw_text
 	font = _font
 	colour = _colour
 	bold = _bold
+	advanced_html = _advanced_html
 
 /datum/paper_input/proc/make_copy()
-	return new /datum/paper_input(raw_text, font, colour, bold);
+	return new /datum/paper_input(raw_text, font, colour, bold, advanced_html);
 
 /datum/paper_input/proc/to_list()
 	return list(
 		raw_text = raw_text,
 		font = font,
 		color = colour,
 		bold = bold,
+		advanced_html = advanced_html,
 	)
 
 /// A single instance of a saved stamp on paper.

diff --git a/tgui/packages/tgui/interfaces/AntagInfoBrainwashed.tsx b/tgui/packages/tgui/interfaces/AntagInfoBrainwashed.tsx
@@ -62,7 +62,7 @@ const ObjectivePrintout = (_props, context) => {
                 <span
                   // eslint-disable-next-line react/no-danger
                   dangerouslySetInnerHTML={{
-                    __html: sanitizeText(objective.explanation), // brainwashing objectives are sanitized anyways
+                    __html: sanitizeText(objective.explanation, false), // brainwashing objectives are sanitized anyways
                   }}
                 />
               </Stack.Item>

diff --git a/tgui/packages/tgui/interfaces/AntagInfoHoloparasite.tsx b/tgui/packages/tgui/interfaces/AntagInfoHoloparasite.tsx
@@ -184,7 +184,7 @@ const ObjectiveInfo = (_props, context) => {
             <span
               // eslint-disable-next-line react/no-danger
               dangerouslySetInnerHTML={{
-                __html: sanitizeText(objective.explanation),
+                __html: sanitizeText(objective.explanation, false),
               }}
             />
           </Stack.Item>

diff --git a/tgui/packages/tgui/interfaces/PaperSheet.tsx b/tgui/packages/tgui/interfaces/PaperSheet.tsx
@@ -29,6 +29,7 @@ type PaperContext = {
   default_pen_font: string;
   default_pen_color: string;
   signature_font: string;
+  sanitize_test: boolean;
 
   // ui_data
   held_item_details?: WritingImplement;
@@ -39,6 +40,7 @@ type PaperInput = {
   font?: string;
   color?: string;
   bold?: boolean;
+  advanced_html?: boolean;
 };
 
 type StampInput = {
@@ -554,6 +556,7 @@ export class PreviewView extends Component<PreviewViewProps> {
       const fontColor = value.color || default_pen_color;
       const fontFace = value.font || default_pen_font;
       const fontBold = value.bold || false;
+      const advancedHtml = value.advanced_html || false;
 
       let processingOutput = this.formatAndProcessRawText(
         rawText,
@@ -562,7 +565,8 @@ export class PreviewView extends Component<PreviewViewProps> {
         paper_color,
         fontBold,
         fieldCount,
-        readOnly
+        readOnly,
+        advancedHtml
       );
 
       output += processingOutput.text;
@@ -679,16 +683,18 @@ export class PreviewView extends Component<PreviewViewProps> {
     paperColor: string,
     bold: boolean,
     fieldCounter: number = 0,
-    forceReadonlyFields: boolean = false
+    forceReadonlyFields: boolean = false,
+    advanced_html: boolean = false
   ): FieldCreationReturn => {
     // First lets make sure it ends in a new line
+    const { data } = useBackend<PaperContext>(this.context);
     rawText += rawText[rawText.length] === '\n' ? '\n' : '\n\n';
 
     // Second, parse the text using markup
     const parsedText = this.runMarkedDefault(rawText);
 
     // Third, we sanitize the text of html
-    const sanitizedText = sanitizeText(parsedText);
+    const sanitizedText = sanitizeText(parsedText, advanced_html);
 
     // Fourth we replace the [__] with fields
     const fieldedText = this.createFields(sanitizedText, font, 12, color, paperColor, forceReadonlyFields, fieldCounter);

diff --git a/tgui/packages/tgui/interfaces/common/ObjectiveSection.tsx b/tgui/packages/tgui/interfaces/common/ObjectiveSection.tsx
@@ -27,7 +27,7 @@ export const ObjectivesSection = (props: Props, _context) => {
                 <span
                   // eslint-disable-next-line react/no-danger
                   dangerouslySetInnerHTML={{
-                    __html: sanitizeText(objective.explanation),
+                    __html: sanitizeText(objective.explanation, false),
                   }}
                 />
               </Stack.Item>

diff --git a/tgui/packages/tgui/sanitize.js b/tgui/packages/tgui/sanitize.js
@@ -45,21 +45,30 @@ const defTag = [
   'ul',
 ];
 
+// Advanced HTML tags we can trust admins (but no players) with
+
+const advTag = ['img'];
+
 let defAttr = ['class', 'style'];
 
 /**
  * Feed it a string and it should spit out a sanitized version.
  *
  * @param {string} input
+ * @param {boolean} advHtml
  * @param {array} tags
  * @param {array} forbidAttr
+ * @param {array} advTags
  */
-export const sanitizeText = (input, tags = defTag, forbidAttr = defAttr) => {
+export const sanitizeText = (input, advHtml, tags = defTag, forbidAttr = defAttr, advTags = advTag) => {
   // This is VERY important to think first if you NEED
   // the tag you put in here.  We are pushing all this
   // though dangerouslySetInnerHTML and even though
   // the default DOMPurify kills javascript, it dosn't
   // kill href links or such
+  if (advHtml) {
+    tags = tags.concat(advTags);
+  }
   return DOMPurify.sanitize(input, {
     ALLOWED_TAGS: tags,
     FORBID_ATTR: forbidAttr,