From 6c016cf443443a7bea76479e602b043cb8d5e8be Mon Sep 17 00:00:00 2001
From: Sepro <SeproDE@users.noreply.github.com>
Date: Mon, 19 Oct 2020 06:39:19 +0200
Subject: [PATCH] Place WebUI RSS description in sandboxed iframe

---
 src/webui/www/private/views/rss.html | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/webui/www/private/views/rss.html b/src/webui/www/private/views/rss.html
index 7ef89809a..5bf625d2c 100644
--- a/src/webui/www/private/views/rss.html
+++ b/src/webui/www/private/views/rss.html
@@ -72,6 +72,11 @@
         width: 100%;
     }
 
+    #rssDescription {
+        width: 100%;
+        border: none;
+    }
+
 </style>
 
 <div id="rssView">
@@ -423,11 +428,15 @@
 
                     return torrentDate;
                 })());
-                // Strip script before interpreting html
-                let torrentDescription = document.createRange().createContextualFragment(
-                    '<div id="rssTorrentDetailsDescription">' + article.description.stripScripts() + '</div>');
-
+                // Place in iframe with sandbox atribute to prevent js execution
+                let torrentDescription = document.createRange().createContextualFragment('<iframe sandbox id="rssDescription"></iframe>');
                 $('rssDetailsView').append(torrentDescription);
+                document.getElementById('rssDescription').srcdoc = '<html><head><link rel="stylesheet" type="text/css" href="css/style.css" /></head><body>' + article.description + "</body></html>";
+                
+                //calculate height to fill screen
+                document.getElementById('rssDescription').style.height =
+                    "calc(100% - " + document.getElementById('rssTorrentDetailsName').offsetHeight + "px - " + 
+                    document.getElementById('rssTorrentDetailsDate').offsetHeight + "px - 5px)";
             }
         };