client/markdown: use DOMPurify over marked.js sanitizer

See markedjs/marked#1232
2020-06-23 13:24:59 -04:00 · 2020-06-23 13:24:59 -04:00 · 0137cf383a
commit 0137cf383a
parent 342ca9ccba
4 changed files with 10 additions and 4 deletions
--- a/client/build.js
+++ b/client/build.js
@ -21,6 +21,7 @@ const webapp_splash_screens = [
 ];

 const external_js = [
+    'dompurify',
    'js-cookie',
    'marked',
    'mousetrap',
--- a/client/js/util/markdown.js
+++ b/client/js/util/markdown.js
@ -1,6 +1,7 @@
 "use strict";

 const marked = require("marked");
+const DOMPurify = require("dompurify");

 class BaseMarkdownWrapper {
    preprocess(text) {
@ -158,7 +159,6 @@ function formatMarkdown(text) {
    const options = {
        renderer: renderer,
        breaks: true,
-        sanitize: true,
        smartypants: true,
    };
    let wrappers = [
@ -179,7 +179,7 @@ function formatMarkdown(text) {
    for (let wrapper of wrappers) {
        text = wrapper.postprocess(text);
    }
-    return text;
+    return DOMPurify.sanitize(text);
 }

 function formatInlineMarkdown(text) {
@ -187,7 +187,6 @@ function formatInlineMarkdown(text) {
    const options = {
        renderer: renderer,
        breaks: true,
-        sanitize: true,
        smartypants: true,
    };
    let wrappers = [
@ -206,7 +205,7 @@ function formatInlineMarkdown(text) {
    for (let wrapper of wrappers) {
        text = wrapper.postprocess(text);
    }
-    return text;
+    return DOMPurify.sanitize(text);
 }

 module.exports = {
--- a/client/package-lock.json
+++ b/client/package-lock.json
@ -1740,6 +1740,11 @@
      "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==",
      "dev": true
    },
+    "dompurify": {
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.0.11.tgz",
+      "integrity": "sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA=="
+    },
    "duplexer2": {
      "version": "0.1.4",
      "resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz",
--- a/client/package.json
+++ b/client/package.json
@ -6,6 +6,7 @@
    "watch": "c1=\"\";while :;do c2=$(find html js css img -type f -and -not -iname '*autogen*'|sort|xargs cat|md5sum);[[ $c1 != $c2 ]]&&npm run build -- --debug --no-vendor-js;c1=$c2;sleep 1;done"
  },
  "dependencies": {
+    "dompurify": "^2.0.11",
    "font-awesome": "^4.7.0",
    "ios-inner-height": "^1.0.3",
    "js-cookie": "^2.2.0",