Merge pull request #1529 from bartbutenaers/notification-injected-css…

…-fix Notification: sanetized style fix
FlowFuse · Dec 11, 2024 · 23e82cd · 23e82cd
2 parents b32cdc3 + c992878
commit 23e82cd
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/ui/src/widgets/ui-notification/UINotification.vue b/ui/src/widgets/ui-notification/UINotification.vue
@@ -62,8 +62,12 @@ export default {
         value: function () {
             // Get the value (i.e. the notification text content) from the last input msg
             const value = this.messages[this.id]?.payload
-            // Sanetize the html to avoid XSS attacks
-            return DOMPurify.sanitize(value)
+
+            // Sanetize the html to avoid XSS attacks.
+            // Allow 'style' tags to allow styling of the notification content.
+            // The FORCE_BODY is required to avoid 'style' tags (at the start of the value string) still being skipped.
+            const sanetizedValue = DOMPurify.sanitize(value, { ADD_TAGS: ['style'], FORCE_BODY: true })
+            return sanetizedValue
         },
         allowConfirm () {
             return this.getProperty('allowConfirm')