Sanitize HTML

vatesfr · Jan 23, 2024 · 3d03e70 · 3d03e70
1 parent ca27f10
commit 3d03e70
Show file tree

Hide file tree

Showing 3 changed files with 5,494 additions and 3,926 deletions.
diff --git a/packages/xo-web/package.json b/packages/xo-web/package.json
@@ -123,6 +123,7 @@
     "relative-luminance": "^2.0.1",
     "reselect": "^2.5.4",
     "rimraf": "^5.0.1",
+    "sanitize-html": "^2.11.0",
     "sass": "^1.38.1",
     "semver": "^6.0.0",
     "strip-ansi": "^5.2.0",

diff --git a/packages/xo-web/src/xo-app/vm/tab-general.js b/packages/xo-web/src/xo-app/vm/tab-general.js
@@ -10,6 +10,7 @@ import marked from 'marked'
 import React from 'react'
 import HomeTags from 'home-tags'
 import renderXoItem, { VmTemplate } from 'render-xo-item'
+import sanitizeHtml from 'sanitize-html'
 import Tooltip from 'tooltip'
 import { addTag, editVm, editVmNotes, removeTag, subscribeUsers } from 'xo'
 import { BlockLink } from 'link'
@@ -41,6 +42,10 @@ const NOTES_STYLE = {
   borderRadius: '10px',
 }
 
+const SANITIZE_OPTIONS = {
+  allowedTags: sanitizeHtml.defaults.allowedTags.concat(['img']),
+}
+
 const GuestToolsDetection = ({ vm }) => {
   if (vm.power_state !== 'Running' || vm.pvDriversDetected === undefined) {
     return null
@@ -288,7 +293,13 @@ const GeneralTab = decorate([
         )}
         <Row className='mt-1'>
           <div style={NOTES_STYLE}>
-            {vm.notes !== undefined && <p dangerouslySetInnerHTML={{ __html: marked(vm.notes) }} />}
+            {vm.notes !== undefined && (
+              <p
+                dangerouslySetInnerHTML={{
+                  __html: sanitizeHtml(marked(vm.notes), SANITIZE_OPTIONS),
+                }}
+              />
+            )}
             <ActionButton icon='edit' handler={editVmNotes} handlerParam={vm}>
               {_('editVmNotes')}
             </ActionButton>