fix(vue): markdownContainer TypeError

package-lock.json

@@ -45,7 +45,7 @@
         "gulp-imagemin": "^7.1.0",
         "gulp.spritesmith": "^6.13.0",
         "habitica-markdown": "^3.0.0",
-        "helmet": "^4.6.0",
+        "helmet": "^8.1.0",
         "in-app-purchase": "^1.11.3",
         "js2xmlparser": "^5.0.0",
         "jsonwebtoken": "^9.0.2",
@@ -12450,11 +12450,11 @@
       }
     },
     "node_modules/helmet": {
-      "version": "4.6.0",
+      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.6.0.tgz",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
-      "integrity": "sha512-HVqALKZlR95ROkrnesdhbbZJFi/rIVSoNq6f3jA/9u6MIbTsPh3xZwihjeI5+DO/2sOV6HMHooXcEOuwskHpTg==",
+      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
       "engines": {
-        "node": ">=10.0.0"
+        "node": ">=18.0.0"
       }
     },
     "node_modules/hex2dec": {

package.json

@@ -40,7 +40,7 @@
     "gulp-imagemin": "^7.1.0",
     "gulp.spritesmith": "^6.13.0",
     "habitica-markdown": "^3.0.0",
-    "helmet": "^4.6.0",
+    "helmet": "^8.1.0",
     "in-app-purchase": "^1.11.3",
     "js2xmlparser": "^5.0.0",
     "jsonwebtoken": "^9.0.2",

website/client/src/components/messages/messageCard.vue

@@ -491,6 +491,9 @@ export default {
   },
   methods: {
     mapProfileLinksToModal () {
+      if (!this.$refs?.markdownContainer) {
+        return;
+      }
       const links = this.$refs.markdownContainer.getElementsByTagName('a');
       for (let i = 0; i < links.length; i += 1) {
         let link = links[i].pathname;

website/server/middlewares/index.js

@@ -66,7 +66,35 @@ export default function attachMiddlewares (app, server) {
   // See https://helmetjs.github.io/ for the list of headers enabled by default
   app.use(helmet({
     // New middlewares added by default in Helmet 4 are disabled
-    contentSecurityPolicy: false, // @TODO implement
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: [
+          '*.habitica.com',
+          '*.amazon.com',
+          '*.amazonaws.com',
+          '*.loggly.com',
+          '*.payments-amazon.com',
+          '*.stripe.com',
+          '*.stripe.network',
+        ],
+        imgSrc: [
+          '*',
+          'data:',
+        ],
+        scriptSrc: [
+          '\'unsafe-eval\'',
+          '\'unsafe-inline\'',
+          '*.habitica.com',
+          '*.amazon.com',
+          '*.amazonaws.com',
+          '*.loggly.com',
+          '*.payments-amazon.com',
+          '*.stripe.com',
+          '*.stripe.network',
+        ],
+        upgradeInsecureRequests: IS_PROD ? [] : null,
+      },
+    },
     expectCt: false,
     permittedCrossDomainPolicies: false,
     referrerPolicy: false,