Migrate to pagedown for markdown parsing #514
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We have recently been notified by Marcin Teodorczyk from https://www.intive.com about a vulnerability in Home Assistant: we did not sanitize the Markdown output. This means that our users have been vulnerable to script injection attacks. The severity is low, as to be able to create a persistent notification an attacker would need access to the instance.
Then, when migrating to the new package format, I accidentally removed the markdown file so the vulnerability no longer existed, but neither did the persistent notifications work.
While adding back a sanitized version of the markdown parser, I realized that when the component was migrated to ES6 in #465 we forgot to call
super.ready()
, so the Polymer template never initialized. That too actually resolved the vulnerability 😉This PR migrates to use Pagedown, the Markdown renderer used by StackExchange: https://github.com/StackExchange/pagedown . This renderer includes a sanitizer after which I was no longer able to reproduce the script injection attack supplied by Marcin.
As a bonus, when the script fails to load, we will render the message as a text content.
I think that we should take a closer look what we want to support in the persistent notification markdown. We might just want to limit it to links and maybe paragraphs? (That's for a future PR)