Switch to dompurify

2024-08-27 04:49:35 +00:00 · 2021-08-18 16:53:58 -07:00 · 2021-08-18 16:53:58 -07:00 · e56fa01346
parent d15097e731
commit e56fa01346
4 changed files with 23 additions and 78 deletions
--- a/extensions/markdown-language-features/notebook/index.ts
+++ b/extensions/markdown-language-features/notebook/index.ts
@ -4,47 +4,12 @@
 *--------------------------------------------------------------------------------------------*/

 const MarkdownIt = require('markdown-it');
-const insane = require('insane');
-import type { InsaneOptions } from 'insane';
+import * as DOMPurify from 'dompurify';
 import type * as markdownIt from 'markdown-it';

-function _extInsaneOptions(opts: InsaneOptions, allowedAttributesForAll: string[]): InsaneOptions {
-	const allowedAttributes: Record<string, string[]> = opts.allowedAttributes ?? {};
-	if (opts.allowedTags) {
-		for (const tag of opts.allowedTags) {
-			let array = allowedAttributes[tag];
-			if (!array) {
-				array = allowedAttributesForAll;
-			} else {
-				array = array.concat(allowedAttributesForAll);
-			}
-			allowedAttributes[tag] = array;
-		}
-	}
-
-	return { ...opts, allowedAttributes };
-}
-
-const insaneOptions: InsaneOptions = _extInsaneOptions({
-	allowedTags: ['a', 'button', 'blockquote', 'code', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'img', 'input', 'label', 'li', 'p', 'pre', 'select', 'small', 'span', 'strong', 'textarea', 'ul', 'ol'],
-	allowedAttributes: {
-		'a': ['href', 'x-dispatch'],
-		'button': ['data-href', 'x-dispatch'],
-		'img': ['src'],
-		'input': ['type', 'placeholder', 'checked', 'required'],
-		'label': ['for'],
-		'select': ['required'],
-		'span': ['data-command', 'role'],
-		'textarea': ['name', 'placeholder', 'required'],
-	},
-	allowedSchemes: ['http', 'https']
-}, [
-	'align',
-	'class',
-	'id',
-	'style',
-	'aria-hidden',
-]);
+const sanitizerOptions: DOMPurify.Config = {
+	ALLOWED_TAGS: ['a', 'button', 'blockquote', 'code', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'img', 'input', 'label', 'li', 'p', 'pre', 'select', 'small', 'span', 'strong', 'textarea', 'ul', 'ol'],
+};

 export function activate(ctx: { workspace: { isTrusted: boolean } }) {
 	let markdownIt = new MarkdownIt({
@ -217,7 +182,7 @@ export function activate(ctx: { workspace: { isTrusted: boolean } }) {
 				const unsanitizedRenderedMarkdown = markdownIt.render(text);
 				previewNode.innerHTML = ctx.workspace.isTrusted
 					? unsanitizedRenderedMarkdown
-					: insane(unsanitizedRenderedMarkdown, insaneOptions);
+					: DOMPurify.sanitize(unsanitizedRenderedMarkdown, sanitizerOptions);
 			}
 		},
 		extendMarkdownIt: (f: (md: typeof markdownIt) => void) => {
--- a/extensions/markdown-language-features/notebook/insane.d.ts
+++ b/extensions/markdown-language-features/notebook/insane.d.ts
@ -1,20 +0,0 @@
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Microsoft Corporation. All rights reserved.
- *  Licensed under the MIT License. See License.txt in the project root for license information.
- *--------------------------------------------------------------------------------------------*/
-
-declare module 'insane' {
-
-	export interface InsaneOptions {
-		readonly allowedSchemes?: readonly string[],
-		readonly allowedTags?: readonly string[],
-		readonly allowedAttributes?: { readonly [key: string]: string[] },
-		readonly filter?: (token: { tag: string, attrs: { readonly [key: string]: string } }) => boolean,
-	}
-
-	export function insane(
-		html: string,
-		options?: InsaneOptions,
-		strict?: boolean,
-	): string;
-}
--- a/extensions/markdown-language-features/package.json
+++ b/extensions/markdown-language-features/package.json
@ -352,14 +352,15 @@
    "watch-web": "npx webpack-cli --config extension-browser.webpack.config --mode none --watch --info-verbosity verbose"
  },
  "dependencies": {
+    "dompurify": "^2.3.1",
    "highlight.js": "^10.4.1",
-    "insane": "^2.6.2",
    "markdown-it": "^12.0.3",
    "markdown-it-front-matter": "^0.2.1",
    "vscode-extension-telemetry": "0.2.8",
    "vscode-nls": "^5.0.0"
  },
  "devDependencies": {
+    "@types/dompurify": "^2.2.3",
    "@types/highlight.js": "10.1.0",
    "@types/lodash.throttle": "^4.1.3",
    "@types/markdown-it": "0.0.2",
--- a/extensions/markdown-language-features/yarn.lock
+++ b/extensions/markdown-language-features/yarn.lock
@ -2,6 +2,13 @@
 # yarn lockfile v1


+"@types/dompurify@^2.2.3":
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-2.2.3.tgz#6e89677a07902ac1b6821c345f34bd85da239b08"
+  integrity sha512-CLtc2mZK8+axmrz1JqtpklO/Kvn38arGc8o1l3UVopZaXXuer9ONdZwJ/9f226GrhRLtUmLr9WrvZsRSNpS8og==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/highlight.js@10.1.0":
  version "10.1.0"
  resolved "https://registry.yarnpkg.com/@types/highlight.js/-/highlight.js-10.1.0.tgz#89bb0c202997d7a90a07bd2ec1f7d00c56bb90b4"
@ -26,6 +33,11 @@
  resolved "https://registry.yarnpkg.com/@types/markdown-it/-/markdown-it-0.0.2.tgz#5d9ad19e6e6508cdd2f2596df86fd0aade598660"
  integrity sha1-XZrRnm5lCM3S8llt+G/Qqt5ZhmA=

+"@types/trusted-types@*":
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.2.tgz#fc25ad9943bcac11cceb8168db4f275e0e72e756"
+  integrity sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg==
+
 "@types/vscode-webview@^1.57.0":
  version "1.57.0"
  resolved "https://registry.yarnpkg.com/@types/vscode-webview/-/vscode-webview-1.57.0.tgz#bad5194d45ae8d03afc1c0f67f71ff5e7a243bbf"
@ -36,34 +48,21 @@ argparse@^2.0.1:
  resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38"
  integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==

-assignment@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/assignment/-/assignment-2.0.0.tgz#ffd17b21bf5d6b22e777b989681a815456a3dd3e"
-  integrity sha1-/9F7Ib9dayLnd7mJaBqBVFaj3T4=
+dompurify@^2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.1.tgz#a47059ca21fd1212d3c8f71fdea6943b8bfbdf6a"
+  integrity sha512-xGWt+NHAQS+4tpgbOAI08yxW0Pr256Gu/FNE2frZVTbgrBUn8M7tz7/ktS/LZ2MHeGqz6topj0/xY+y8R5FBFw==

 entities@~2.1.0:
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/entities/-/entities-2.1.0.tgz#992d3129cf7df6870b96c57858c249a120f8b8b5"
  integrity sha512-hCx1oky9PFrJ611mf0ifBLBRW8lUUVRlFolb5gWRfIELabBlbp9xZvrqZLZAs+NxFnbfQoeGd8wDkygjg7U85w==

-he@0.5.0:
-  version "0.5.0"
-  resolved "https://registry.yarnpkg.com/he/-/he-0.5.0.tgz#2c05ffaef90b68e860f3fd2b54ef580989277ee2"
-  integrity sha1-LAX/rvkLaOhg8/0rVO9YCYknfuI=
-
 highlight.js@*, highlight.js@^10.4.1:
  version "10.4.1"
  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.4.1.tgz#d48fbcf4a9971c4361b3f95f302747afe19dbad0"
  integrity sha512-yR5lWvNz7c85OhVAEAeFhVCc/GV4C30Fjzc/rCP0aCWzc1UUOPUk55dK/qdwTZHBvMZo+eZ2jpk62ndX/xMFlg==

-insane@^2.6.2:
-  version "2.6.2"
-  resolved "https://registry.yarnpkg.com/insane/-/insane-2.6.2.tgz#c2ab68bb3e006ab451560d1b446917329c0a8120"
-  integrity sha1-wqtouz4AarRRVg0bRGkXMpwKgSA=
-  dependencies:
-    assignment "2.0.0"
-    he "0.5.0"
-
 linkify-it@^3.0.1:
  version "3.0.2"
  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-3.0.2.tgz#f55eeb8bc1d3ae754049e124ab3bb56d97797fb8"