diff --git a/package.json b/package.json --- a/package.json +++ b/package.json @@ -20,6 +20,7 @@ "clipboard": "^2.0.4", "d3": "^5.9.2", "datatables.net-bs4": "^1.10.19", + "dompurify": "^1.0.10", "elementsfrompoint-polyfill": "^1.0.0", "font-awesome": "^4.7.0", "highlight.js": "^9.15.6", @@ -34,7 +35,6 @@ "pdfjs-dist": "^2.0.943", "popper.js": "^1.15.0", "showdown": "^1.9.0", - "showdown-xss-filter": "^0.2.0", "typeface-alegreya": "0.0.69", "typeface-alegreya-sans": "^0.0.72", "url-search-params-polyfill": "^5.1.0", diff --git a/swh/web/assets/src/bundles/webapp/readme-rendering.js b/swh/web/assets/src/bundles/webapp/readme-rendering.js --- a/swh/web/assets/src/bundles/webapp/readme-rendering.js +++ b/swh/web/assets/src/bundles/webapp/readme-rendering.js @@ -1,16 +1,38 @@ /** - * Copyright (C) 2018 The Software Heritage developers + * Copyright (C) 2018-2019 The Software Heritage developers * See the AUTHORS file at the top-level directory of this distribution * License: GNU Affero General Public License version 3, or any later version * See top-level LICENSE file for more information */ +import DOMPurify from 'dompurify'; + import {handleFetchError} from 'utils/functions'; +DOMPurify.addHook('uponSanitizeAttribute', function(node, data) { + if (node.nodeName === 'IMG' && data.attrName === 'src') { + // remove leading slash from image src to fix rendering + if (data.attrValue.startsWith('/')) { + data.attrValue = data.attrValue.slice(1); + } + } +}); + +// Filter out potential XSS attacks before rendering HTML +function xssFilter() { + return [ + { + type: 'output', + filter: text => { + return DOMPurify.sanitize(text); + } + } + ]; +}; + export async function renderMarkdown(domElt, markdownDocUrl) { let showdown = await import(/* webpackChunkName: "showdown" */ 'utils/showdown'); - let xssFilter = require('showdown-xss-filter'); $(document).ready(() => { let converter = new showdown.Converter({tables: true, extensions: [xssFilter]}); diff --git a/yarn.lock b/yarn.lock --- a/yarn.lock +++ b/yarn.lock @@ -1997,7 +1997,7 @@ dependencies: delayed-stream "~1.0.0" -commander@2, commander@^2.19.0, commander@^2.9.0: +commander@2, commander@^2.19.0: version "2.19.0" resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a" integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg== @@ -2393,11 +2393,6 @@ resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee" integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg== -cssfilter@^0.0.8: - version "0.0.8" - resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.8.tgz#6564caccba8a76dd9b4b920668b9fb7fda50e54c" - integrity sha1-ZWTKzLqKdt2bS5IGaLn7f9pQ5Uw= - cssnano-preset-default@^4.0.7: version "4.0.7" resolved "https://registry.yarnpkg.com/cssnano-preset-default/-/cssnano-preset-default-4.0.7.tgz#51ec662ccfca0f88b396dcd9679cdb931be17f76" @@ -2994,6 +2989,11 @@ dependencies: domelementtype "1" +dompurify@^1.0.10: + version "1.0.10" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-1.0.10.tgz#18d7353631c86ee25049e38fbca8c6b2c5a2af87" + integrity sha512-huhl3DSWX5LaA7jDtnj3XQdJgWW1wYouNW7N0drGzQa4vEUSVWyeFN+Atx6HP4r5cang6oQytMom6I4yhGJj5g== + domutils@^1.5.1, domutils@^1.7.0: version "1.7.0" resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a" @@ -7753,13 +7753,6 @@ resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3" integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM= -showdown-xss-filter@^0.2.0: - version "0.2.0" - resolved "https://registry.yarnpkg.com/showdown-xss-filter/-/showdown-xss-filter-0.2.0.tgz#39857bae56d6184979f26876b187bb87e9f4f04c" - integrity sha1-OYV7rlbWGEl58mh2sYe7h+n08Ew= - dependencies: - xss "0.2.x" - showdown@^1.9.0: version "1.9.0" resolved "https://registry.yarnpkg.com/showdown/-/showdown-1.9.0.tgz#d49d2a0b6db21b7c2e96ef855f7b3b2a28ef46f4" @@ -9146,14 +9139,6 @@ resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4" integrity sha1-SWsswQnsqNus/i3HK2A8F8WHCtQ= -xss@0.2.x: - version "0.2.18" - resolved "https://registry.yarnpkg.com/xss/-/xss-0.2.18.tgz#6df5fb5ca28bdc51e78624ff63f19e13ebd73bab" - integrity sha1-bfX7XKKL3FHnhiT/Y/GeE+vXO6s= - dependencies: - commander "^2.9.0" - cssfilter "^0.0.8" - xtend@^4.0.0, xtend@^4.0.1, xtend@~4.0.1: version "4.0.1" resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"