discourse/app/assets/javascripts/pretty-text/addon/sanitizer.js

import xss from "xss";
import escape from "discourse-common/lib/escape";

function attr(name, value) {
  if (value) {
    return `${name}="${xss.escapeAttrValue(value)}"`;
  }

  return name;
}

export { escape };

export function hrefAllowed(href, extraHrefMatchers) {
  // escape single quotes
  href = href.replace(/'/g, "%27");

  // absolute urls
  if (/^(https?:)?\/\/[\w\.\-]+/i.test(href)) {
    return href;
  }
  // relative urls
  if (/^\/[\w\.\-]+/i.test(href)) {
    return href;
  }
  // anchors
  if (/^#[\w\.\-]+/i.test(href)) {
    return href;
  }
  // mailtos
  if (/^mailto:[\w\.\-@]+/i.test(href)) {
    return href;
  }

  if (extraHrefMatchers && extraHrefMatchers.length > 0) {
    for (let i = 0; i < extraHrefMatchers.length; i++) {
      if (extraHrefMatchers[i].test(href)) {
        return href;
      }
    }
  }
}

function testDataAttribute(forTag, name, value) {
  return Object.keys(forTag).find((k) => {
    const nameWithMatcher = `^${k.replace(/\*$/, "\\w+?")}`;
    const validValues = forTag[k];

    return (
      new RegExp(nameWithMatcher).test(name) &&
      (validValues.includes("*") ? true : validValues.includes(value))
    );
  });
}

export function sanitize(text, allowLister) {
  if (!text) {
    return "";
  }

  // Allow things like <3 and <_<
  text = text.replace(/<([^A-Za-z\/\!]|$)/g, "&lt;$1");

  const allowList = allowLister.getAllowList(),
    allowedHrefSchemes = allowLister.getAllowedHrefSchemes(),
    allowedIframes = allowLister.getAllowedIframes();
  let extraHrefMatchers = null;

  if (allowedHrefSchemes && allowedHrefSchemes.length > 0) {
    extraHrefMatchers = [
      new RegExp("^(" + allowedHrefSchemes.join("|") + ")://[\\w\\.\\-]+", "i"),
    ];
    if (allowedHrefSchemes.includes("tel")) {
      extraHrefMatchers.push(new RegExp("^tel://\\+?[\\w\\.\\-]+", "i"));
    }
  }

  let result = xss(text, {
    whiteList: allowList.tagList,
    stripIgnoreTag: true,
    stripIgnoreTagBody: ["script", "table"],

    onIgnoreTagAttr(tag, name, value) {
      const forTag = allowList.attrList[tag];
      if (forTag) {
        const forAttr = forTag[name];

        if (
          (forAttr &&
            (forAttr.indexOf("*") !== -1 || forAttr.indexOf(value) !== -1)) ||
          (name.indexOf("data-html-") === -1 &&
            name.indexOf("data-") === 0 &&
            (forTag["data-*"] || testDataAttribute(forTag, name, value))) ||
          (tag === "a" &&
            name === "href" &&
            hrefAllowed(value, extraHrefMatchers)) ||
          (tag === "img" &&
            name === "src" &&
            (/^data:image.*$/i.test(value) ||
              hrefAllowed(value, extraHrefMatchers))) ||
          (tag === "iframe" &&
            name === "src" &&
            allowedIframes.some((i) => {
              return value.toLowerCase().indexOf((i || "").toLowerCase()) === 0;
            }))
        ) {
          return attr(name, value);
        }

        if (tag === "iframe" && name === "src") {
          return "-STRIP-";
        }

        if (tag === "video" && name === "autoplay") {
          // This might give us duplicate 'muted' attributes
          // but they will be deduped by later processing
          return "autoplay muted";
        }

        // Heading ids must begin with `heading--`
        if (
          ["h1", "h2", "h3", "h4", "h5", "h6"].indexOf(tag) !== -1 &&
          value.match(/^heading\-\-[a-zA-Z0-9\-\_]+$/)
        ) {
          return attr(name, value);
        }

        const custom = allowLister.getCustom();
        for (let i = 0; i < custom.length; i++) {
          const fn = custom[i];
          if (fn(tag, name, value)) {
            return attr(name, value);
          }
        }
      }
    },
  });

  return result
    .replace(/\[removed\]/g, "")
    .replace(/\<iframe[^>]+\-STRIP\-[^>]*>[^<]*<\/iframe>/g, "")
    .replace(/&(?![#\w]+;)/g, "&amp;")
    .replace(/&#39;/g, "'")
    .replace(/ \/>/g, ">");
}
Create proper shim for xss library - second attempt 2020-09-15 22:42:51 +08:00			`import xss from "xss";`
FIX: Escape Font Awesome icons (#12421) This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS. 2021-03-17 21:11:40 +08:00			`import escape from "discourse-common/lib/escape";`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00
			`function attr(name, value) {`
FIX: Also support just `open` 2016-07-21 01:30:36 +08:00			`if (value) {`
			return `${name}="${xss.escapeAttrValue(value)}"`;
			`}`

			`return name;`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`}`

FIX: Escape Font Awesome icons (#12421) This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS. 2021-03-17 21:11:40 +08:00			`export { escape };`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00
FEATURE: add a setting to allow url schemes other than http(s) 2016-10-21 23:39:48 +08:00			`export function hrefAllowed(href, extraHrefMatchers) {`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`// escape single quotes`
			`href = href.replace(/'/g, "%27");`

			`// absolute urls`
			`if (/^(https?:)?\/\/[\w\.\-]+/i.test(href)) {`
			`return href;`
			`}`
			`// relative urls`
			`if (/^\/[\w\.\-]+/i.test(href)) {`
			`return href;`
			`}`
			`// anchors`
			`if (/^#[\w\.\-]+/i.test(href)) {`
			`return href;`
			`}`
			`// mailtos`
			`if (/^mailto:[\w\.\-@]+/i.test(href)) {`
			`return href;`
			`}`
FEATURE: add a setting to allow url schemes other than http(s) 2016-10-21 23:39:48 +08:00
			`if (extraHrefMatchers && extraHrefMatchers.length > 0) {`
			`for (let i = 0; i < extraHrefMatchers.length; i++) {`
			`if (extraHrefMatchers[i].test(href)) {`
			`return href;`
			`}`
			`}`
			`}`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`}`

DEV: adds initial support for custom blocks using code fencing (#15743) Allows to write custom code blocks: ``` ```mermaid height=200,foo=bar test ``` ``` Which will then get converted to: ``` <pre data-code-wrap="mermaid" data-code-height="200" data-code-foo="bar"> <code class="lang-nohighlight"> test </code> </pre> ``` 2022-02-09 18:23:44 +08:00			`function testDataAttribute(forTag, name, value) {`
			`return Object.keys(forTag).find((k) => {`
			const nameWithMatcher = `^${k.replace(/\*$/, "\\w+?")}`;
			`const validValues = forTag[k];`

			`return (`
			`new RegExp(nameWithMatcher).test(name) &&`
			`(validValues.includes("*") ? true : validValues.includes(value))`
			`);`
			`});`
			`}`

FIX: pretty text allow list (#10977) Reword whitelist to allowlist in pretty-text. This library is used by plugins so we need deprecation notice. 2020-10-28 10:22:06 +08:00			`export function sanitize(text, allowLister) {`
DEV: enforces eslint’s curly rule to the codebase (#10720) eslint --fix is capable of fix it automatically for you, ensure prettier is run after eslint as eslint --fix could leave the code in an invalid prettier state. 2020-09-22 22:28:28 +08:00			`if (!text) {`
			`return "";`
			`}`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00
			`// Allow things like <3 and <_<`
			`text = text.replace(/<([^A-Za-z\/\!]\|$)/g, "<$1");`

FIX: pretty text allow list (#10977) Reword whitelist to allowlist in pretty-text. This library is used by plugins so we need deprecation notice. 2020-10-28 10:22:06 +08:00			`const allowList = allowLister.getAllowList(),`
			`allowedHrefSchemes = allowLister.getAllowedHrefSchemes(),`
			`allowedIframes = allowLister.getAllowedIframes();`
FEATURE: add a setting to allow url schemes other than http(s) 2016-10-21 23:39:48 +08:00			`let extraHrefMatchers = null;`

			`if (allowedHrefSchemes && allowedHrefSchemes.length > 0) {`
			`extraHrefMatchers = [`
			`new RegExp("^(" + allowedHrefSchemes.join("\|") + ")://[\\w\\.\\-]+", "i"),`
			`];`
FIX: allowed href scheme link can start with a + (#5537) * allowed href scheme link can start with a + * allow tel:// links only to start with + * add missing semicolon * add test 2018-01-30 08:02:23 +08:00			`if (allowedHrefSchemes.includes("tel")) {`
			`extraHrefMatchers.push(new RegExp("^tel://\\+?[\\w\\.\\-]+", "i"));`
			`}`
FEATURE: add a setting to allow url schemes other than http(s) 2016-10-21 23:39:48 +08:00			`}`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00
			`let result = xss(text, {`
FIX: pretty text allow list (#10977) Reword whitelist to allowlist in pretty-text. This library is used by plugins so we need deprecation notice. 2020-10-28 10:22:06 +08:00			`whiteList: allowList.tagList,`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`stripIgnoreTag: true,`
			`stripIgnoreTagBody: ["script", "table"],`
REFACTOR: PreloadStore to ES6 2016-07-05 02:15:51 +08:00
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`onIgnoreTagAttr(tag, name, value) {`
FIX: pretty text allow list (#10977) Reword whitelist to allowlist in pretty-text. This library is used by plugins so we need deprecation notice. 2020-10-28 10:22:06 +08:00			`const forTag = allowList.attrList[tag];`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`if (forTag) {`
			`const forAttr = forTag[name];`
DEV: adds initial support for custom blocks using code fencing (#15743) Allows to write custom code blocks: ``` ```mermaid height=200,foo=bar test ``` ``` Which will then get converted to: ``` <pre data-code-wrap="mermaid" data-code-height="200" data-code-foo="bar"> <code class="lang-nohighlight"> test </code> </pre> ``` 2022-02-09 18:23:44 +08:00
FEATURE: allowed_iframes site setting for allowing iframes This allows you to whitelist custom iframes if needed in posts 2017-09-01 22:15:34 +08:00			`if (`
			`(forAttr &&`
			`(forAttr.indexOf("*") !== -1 \|\| forAttr.indexOf(value) !== -1)) \|\|`
SECURITY: Sanitize d-popover attributes (#13958) 2021-08-05 21:39:17 +08:00			`(name.indexOf("data-html-") === -1 &&`
			`name.indexOf("data-") === 0 &&`
DEV: adds initial support for custom blocks using code fencing (#15743) Allows to write custom code blocks: ``` ```mermaid height=200,foo=bar test ``` ``` Which will then get converted to: ``` <pre data-code-wrap="mermaid" data-code-height="200" data-code-foo="bar"> <code class="lang-nohighlight"> test </code> </pre> ``` 2022-02-09 18:23:44 +08:00			`(forTag["data-*"] \|\| testDataAttribute(forTag, name, value))) \|\|`
FEATURE: add a setting to allow url schemes other than http(s) 2016-10-21 23:39:48 +08:00			`(tag === "a" &&`
			`name === "href" &&`
			`hrefAllowed(value, extraHrefMatchers)) \|\|`
			`(tag === "img" &&`
			`name === "src" &&`
			`(/^data:image.*$/i.test(value) \|\|`
			`hrefAllowed(value, extraHrefMatchers))) \|\|`
FEATURE: allowed_iframes site setting for allowing iframes This allows you to whitelist custom iframes if needed in posts 2017-09-01 22:15:34 +08:00			`(tag === "iframe" &&`
			`name === "src" &&`
			`allowedIframes.some((i) => {`
			`return value.toLowerCase().indexOf((i \|\| "").toLowerCase()) === 0;`
			`}))`
			`) {`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`return attr(name, value);`
			`}`

			`if (tag === "iframe" && name === "src") {`
			`return "-STRIP-";`
			`}`

FIX: Autoplay videos must always be muted (#11533) This automatically adds the muted attribute if it's missing in a video tag. Co-authored-by: David Taylor <david@taylorhq.com> 2020-12-22 01:55:00 +08:00			`if (tag === "video" && name === "autoplay") {`
DEV: Correct typos and spelling mistakes (#12812) Over the years we accrued many spelling mistakes in the code base. This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change - comments - test descriptions - other low risk areas 2021-05-21 09:43:47 +08:00			`// This might give us duplicate 'muted' attributes`
FIX: Autoplay videos must always be muted (#11533) This automatically adds the muted attribute if it's missing in a video tag. Co-authored-by: David Taylor <david@taylorhq.com> 2020-12-22 01:55:00 +08:00			`// but they will be deduped by later processing`
			`return "autoplay muted";`
			`}`

FIX: Headings must begin with `heading--` to avoid some griefing 2017-10-16 23:53:47 +08:00			// Heading ids must begin with `heading--`
			`if (`
			`["h1", "h2", "h3", "h4", "h5", "h6"].indexOf(tag) !== -1 &&`
			`value.match(/^heading\-\-[a-zA-Z0-9\-\_]+$/)`
			`) {`
			`return attr(name, value);`
			`}`

FIX: pretty text allow list (#10977) Reword whitelist to allowlist in pretty-text. This library is used by plugins so we need deprecation notice. 2020-10-28 10:22:06 +08:00			`const custom = allowLister.getCustom();`
REFACTOR: Migrate markdown functionality in ES6 2016-06-15 02:31:51 +08:00			`for (let i = 0; i < custom.length; i++) {`
			`const fn = custom[i];`
			`if (fn(tag, name, value)) {`
			`return attr(name, value);`
			`}`
			`}`
			`}`
			`},`
			`});`

			`return result`
			`.replace(/\[removed\]/g, "")`
			`.replace(/\<iframe[^>]+\-STRIP\-[^>]>[^<]<\/iframe>/g, "")`
			`.replace(/&(?![#\w]+;)/g, "&")`
			`.replace(/'/g, "'")`
			`.replace(/ \/>/g, ">");`
			`}`