Try to fix some security issues. Part 2.

Thanks to responsible security disclosure contributors and xet7 !

client/components/activities/activities.js

@@ -1,4 +1,4 @@
-import DOMPurify from 'isomorphic-dompurify';
+import DOMPurify from 'dompurify';
 import { TAPi18n } from '/imports/i18n';
 
 const activitiesPerPage = 500;

client/components/cards/attachments.js

@@ -1,5 +1,5 @@
 import { ObjectID } from 'bson';
-import DOMPurify from 'isomorphic-dompurify';
+import DOMPurify from 'dompurify';
 
 const filesize = require('filesize');
 const prettyMilliseconds = require('pretty-ms');

client/components/main/editor.js

@@ -283,7 +283,7 @@ BlazeComponent.extendComponent({
   }
 }).register('editor');
 
-import DOMPurify from 'isomorphic-dompurify';
+import DOMPurify from 'dompurify';
 
 // Additional  safeAttrValue function to allow for other specific protocols
 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114

models/attachments.js

@@ -151,6 +151,7 @@ if (Meteor.isServer) {
       check(fileObjId, String);
       check(newName, String);
       // If new name is same as sanitized name, does not have XSS, allow rename file
+      // Using isomorphic-dompurify that is isometric so it works also serverside.
       if (newName === DOMPurify.sanitize(newName)) {
         const fileObj = Attachments.findOne({_id: fileObjId});
         rename(fileObj, newName, fileStoreStrategyFactory);

package.json

@@ -31,6 +31,7 @@
     "bcryptjs": "^2.4.3",
     "bson": "^4.5.2",
     "bunyan": "^1.8.15",
+    "canvas": "^2.11.0",
     "core-js": "^3.18.2",
     "dompurify": "^2.4.1",
     "es6-promise": "^4.2.4",
@@ -51,7 +52,7 @@
     "markdown-it-emoji": "^2.0.0",
     "markdown-it-mathjax3": "^4.3.1",
     "meteor-accounts-t9n": "^2.6.0",
-    "meteor-node-stubs": "^1.1.0",
+    "meteor-node-stubs": "^1.2.5",
     "moment": "^2.29.4",
     "nodemailer": "^6.6.3",
     "os": "^0.1.2",

packages/markdown/src/template-integration.js

@@ -65,6 +65,7 @@ if (Package.ui) {
       text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING);
     }
 
+    // Using isomorphic-dompurify that is isometric so it works also serverside
     return HTML.Raw(DOMPurify.sanitize(Markdown.render(text), {ALLOW_UNKNOWN_PROTOCOLS: true}));
   }));
 }

rebuild-wekan.sh

@@ -91,7 +91,7 @@ do
 		#sudo chown -R $(id -u):$(id -g) $HOME/.npm $HOME/.meteor
 		rm -rf .build/bundle node_modules .meteor/local .build
 		meteor npm install
-		meteor build .build --directory
+		meteor build .build --directory --platforms=web.browser
 		rm -rf .build/bundle/programs/web.browser.legacy
 		(cd .build/bundle/programs/server && rm -rf node_modules && chmod u+w *.json && meteor npm install)
                 (cd .build/bundle/programs/server/node_modules/fibers && node build.js)

releases/rebuild-release.sh

@@ -9,7 +9,7 @@ sudo chown -R $(id -u):$(id -g) $HOME/.npm $HOME/.meteor
 rm -rf node_modules
 meteor npm install
 rm -rf .build
-METEOR_PROFILE=100 meteor build .build --directory
+METEOR_PROFILE=100 meteor build .build --directory --platforms=web.browser
 # Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc.
 rm -rf .build/bundle/programs/web.browser.legacy
 cd .build/bundle/programs/server