fix(backend): happy-domで外部HTMLをパースする際に関連リソースが読み込まれる問題を修正 (#14521)

* bump happy-dom, disable all JS&c when parsing version 10 didn't quite support disabling all of that I have tested that `MfmService` (the other code that uses `happy-dom`) still works fine: the RSS feed for a user is generated correctly, with HTML rendered from MFM (cherry picked from commit 26e0412fbb91447c37e8fb06ffb0487346063bb8) * Update Changelog * lint * fix possible memory leak --------- Co-authored-by: dakkar <dakkar@thenautilus.net>
2024-09-15 12:30:27 +09:00
parent e0f54d6a68
commit be0906a6c7
4 changed files with 47 additions and 10 deletions
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -119,7 +119,7 @@
 		"fluent-ffmpeg": "2.1.3",
 		"form-data": "4.0.0",
 		"got": "14.4.2",
-		"happy-dom": "10.0.3",
+		"happy-dom": "15.6.1",
 		"hpagent": "1.2.0",
 		"htmlescape": "1.1.1",
 		"http-link-header": "1.1.3",
--- a/packages/backend/src/core/activitypub/ApRequestService.ts
+++ b/packages/backend/src/core/activitypub/ApRequestService.ts
@@ -207,16 +207,41 @@ export class ApRequestService {

 		if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) {
 			const html = await res.text();
-			const window = new Window();
+			const window = new Window({
+				settings: {
+					disableJavaScriptEvaluation: true,
+					disableJavaScriptFileLoading: true,
+					disableCSSFileLoading: true,
+					disableComputedStyleRendering: true,
+					handleDisabledFileLoadingAsSuccess: true,
+					navigation: {
+						disableMainFrameNavigation: true,
+						disableChildFrameNavigation: true,
+						disableChildPageNavigation: true,
+						disableFallbackToSetURL: true,
+					},
+					timer: {
+						maxTimeout: 0,
+						maxIntervalTime: 0,
+						maxIntervalIterations: 0,
+					},
+				},
+			});
 			const document = window.document;
-			document.documentElement.innerHTML = html;
+			try {
+				document.documentElement.innerHTML = html;

-			const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
-			if (alternate) {
-				const href = alternate.getAttribute('href');
-				if (href) {
-					return await this.signedGet(href, user, false);
+				const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
+				if (alternate) {
+					const href = alternate.getAttribute('href');
+					if (href) {
+						return await this.signedGet(href, user, false);
+					}
 				}
+			} catch (e) {
+				// something went wrong parsing the HTML, ignore the whole thing
+			} finally {
+				window.close();
 			}
 		}
 		//#endregion