Closed Jeff-411 closed 10 months ago
Interesting :D I'd say why not, do you have some example markup so we can have a closer look?
Sure. Here's the content of browser_export_file.html
-- one of the test uploads I'm using for "Bookmarks Ripper" development.
The only change I've made to the standard export/import markup in the example below is to edit out the base64
strings.
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
It will be read and overwritten.
DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>Bookmarks</H1>
<DL><p>
<DT><H3 ADD_DATE="1678057016" LAST_MODIFIED="1696348108" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3>
<DL><p>
<DT><H3 ADD_DATE="1696347783" LAST_MODIFIED="1696348291">Export me</H3>
<DL><p>
<DT><A HREF="https://www.akc.org/dog-breeds/poodle-standard/" ADD_DATE="1696347813" ICON="...">Poodle Dog Breed Information</A>
<DT><H3 ADD_DATE="1696348152" LAST_MODIFIED="1696348244">Folder 1</H3>
<DL><p>
<DT><A HREF="https://en.wikipedia.org/wiki/Pickled_cucumber" ADD_DATE="1696348216" ICON="...">Pickled cucumber - Wikipedia</A>
<DT><A HREF="https://en.wikipedia.org/wiki/Cattle" ADD_DATE="1696348244" ICON="...">Cattle - Wikipedia</A>
</DL><p>
<DT><H3 ADD_DATE="1696348287" LAST_MODIFIED="1697136137">Folder 2</H3>
<DL><p>
<DT><A HREF="https://en.wikipedia.org/wiki/Apple" ADD_DATE="1696348291" ICON="...">Apple - Wikipedia</A>
</DL><p>
</DL><p>
<DT><H3 ADD_DATE="1696187838" LAST_MODIFIED="1697136146">test</H3>
<DL><p>
<DT><A HREF="https://en.wikipedia.org/wiki/Waltzing_Matilda" ADD_DATE="1697136137" ICON="...">Waltzing Matilda - Wikipedia</A>
</DL><p>
</DL><p>
</DL><p>
Yup, if you allow-list the additional attributes, this should indeed work :)
Total newbie asks...
I'm building an Express app ("Bookmarks Ripper") where users upload the files that browsers use to export/import bookmarks. The syntax of these
<!DOCTYPE NETSCAPE-Bookmark-file-1>
files is quite odd.I'm using Multer to restrict the file type and size, but I'm wondering...
Could I use DOMPurify to sanitize these uploads, to reduce my chances of getting hit by malicious code?