From 3764218fc8317f649555709c81167d0375d884a3 Mon Sep 17 00:00:00 2001 From: maxceem Date: Wed, 9 Sep 2020 17:55:10 +0300 Subject: [PATCH] fix: sanitize message HTML ref issue #4115 --- package-lock.json | 90 ++++++++++++++++++++++++++++++++++ package.json | 3 +- src/helpers/markdownToState.js | 7 ++- 3 files changed, 98 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8a4aa5c60..23268bebc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12193,6 +12193,11 @@ "pngjs": "^3.2.0" } }, + "parse-srcset": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/parse-srcset/-/parse-srcset-1.0.2.tgz", + "integrity": "sha1-8r0iH2zJcKk42IVWq8WJyqqiveE=" + }, "parse5": { "version": "1.5.1", "resolved": "https://registry.npmjs.org/parse5/-/parse5-1.5.1.tgz", @@ -17211,6 +17216,91 @@ "resolved": "https://registry.npmjs.org/samsam/-/samsam-1.1.2.tgz", "integrity": "sha1-vsEf3IOp/aBjQBIQ5AF2wwJNFWc=" }, + "sanitize-html": { + "version": "1.27.4", + "resolved": "https://registry.npmjs.org/sanitize-html/-/sanitize-html-1.27.4.tgz", + "integrity": "sha512-VvY1hxVvMXzSos/LzqeBl9/KYu3mkEOtl5NMwz6jER318dSHDCig0AOjZOtnoCwAC3HMs9LhfWkPCmQGttb4ng==", + "requires": { + "htmlparser2": "^4.1.0", + "lodash": "^4.17.15", + "parse-srcset": "^1.0.2", + "postcss": "^7.0.27" + }, + "dependencies": { + "dom-serializer": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-1.0.1.tgz", + "integrity": "sha512-1Aj1Qy3YLbdslkI75QEOfdp9TkQ3o8LRISAzxOibjBs/xWwr1WxZFOQphFkZuepHFGo+kB8e5FVJSS0faAJ4Rw==", + "requires": { + "domelementtype": "^2.0.1", + "domhandler": "^3.0.0", + "entities": "^2.0.0" + } + }, + "domelementtype": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.0.1.tgz", + "integrity": "sha512-5HOHUDsYZWV8FGWN0Njbr/Rn7f/eWSQi1v7+HsUVwXgn8nWWlL64zKDkS0n8ZmQ3mlWOMuXOnR+7Nx/5tMO5AQ==" + }, + "domhandler": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-3.0.0.tgz", + "integrity": "sha512-eKLdI5v9m67kbXQbJSNn1zjh0SDzvzWVWtX+qEI3eMjZw8daH9k8rlj1FZY9memPwjiskQFbe7vHVVJIAqoEhw==", + "requires": { + "domelementtype": "^2.0.1" + } + }, + "domutils": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.2.0.tgz", + "integrity": "sha512-0haAxVr1PR0SqYwCH7mxMpHZUwjih9oPPedqpR/KufsnxPyZ9dyVw1R5093qnJF3WXSbjBkdzRWLw/knJV/fAg==", + "requires": { + "dom-serializer": "^1.0.1", + "domelementtype": "^2.0.1", + "domhandler": "^3.0.0" + } + }, + "entities": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/entities/-/entities-2.0.3.tgz", + "integrity": "sha512-MyoZ0jgnLvB2X3Lg5HqpFmn1kybDiIfEQmKzTb5apr51Rb+T3KdmMiqa70T+bhGnyv7bQ6WMj2QMHpGMmlrUYQ==" + }, + "htmlparser2": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-4.1.0.tgz", + "integrity": "sha512-4zDq1a1zhE4gQso/c5LP1OtrhYTncXNSpvJYtWJBtXAETPlMfi3IFNjGuQbYLuVY4ZR0QMqRVvo4Pdy9KLyP8Q==", + "requires": { + "domelementtype": "^2.0.1", + "domhandler": "^3.0.0", + "domutils": "^2.0.0", + "entities": "^2.0.0" + } + }, + "postcss": { + "version": "7.0.32", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz", + "integrity": "sha512-03eXong5NLnNCD05xscnGKGDZ98CyzoqPSMjOe6SuoQY7Z2hIj0Ld1g/O/UQRuOle2aRtiIRDg9tDcTGAkLfKw==", + "requires": { + "chalk": "^2.4.2", + "source-map": "^0.6.1", + "supports-color": "^6.1.0" + } + }, + "source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==" + }, + "supports-color": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz", + "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==", + "requires": { + "has-flag": "^3.0.0" + } + } + } + }, "sass-graph": { "version": "2.2.4", "resolved": "https://registry.npmjs.org/sass-graph/-/sass-graph-2.2.4.tgz", diff --git a/package.json b/package.json index 3739f1715..3fe301682 100644 --- a/package.json +++ b/package.json @@ -147,7 +147,8 @@ "redux-promise-middleware": "4.2.1", "redux-segment": "^1.6.2", "redux-thunk": "^2.1.0", - "remarkable": "^1.7.1", + "remarkable": "^1.7.4", + "sanitize-html": "^1.27.4", "svg-react-loader": "^0.4.5", "tc-accounts": "git+https://github.com/appirio-tech/accounts-app.git#v1.0.4", "tc-ui": "git+https://github.com/appirio-tech/tc-ui.git#feature/connectv2", diff --git a/src/helpers/markdownToState.js b/src/helpers/markdownToState.js index cb6db1ea6..376c4b1ad 100644 --- a/src/helpers/markdownToState.js +++ b/src/helpers/markdownToState.js @@ -1,4 +1,5 @@ import {convertFromRaw} from 'draft-js' +import sanitizeHtml from 'sanitize-html' const Remarkable = require('remarkable') // Block level items, key is Remarkable's key for them, value returned is @@ -218,7 +219,11 @@ export function markdownToHTML(markdown) { // typographer: true, }) // Replace the BBCode [u][/u] to markdown '++' for underline style - const _markdown = markdown.replace(new RegExp('\\[/?u\\]', 'g'), '++') + let _markdown = markdown.replace(new RegExp('\\[/?u\\]', 'g'), '++') + _markdown = sanitizeHtml(_markdown, { + allowedTags: [ 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b', 'i', 'strong', 'em', 'strike', 'abbr', 'code', 'br', 'pre' ], + disallowedTagsMode: 'escape' + }) return md.render(_markdown, {}) // remarkable js takes markdown and makes it an array of style objects for us to easily parse }