From 8b4f59ba4925b83f401e7da116a0e1e30f3690df Mon Sep 17 00:00:00 2001 From: Ben Gotow Date: Mon, 8 Jan 2024 10:45:15 -0600 Subject: [PATCH] Switch to DOMPurify for HTML email sanitization --- app/package-lock.json | 11 + app/package.json | 3 +- app/src/flux/stores/draft-factory.ts | 6 +- app/src/flux/stores/message-body-processor.ts | 2 +- app/src/services/sanitize-transformer.ts | 764 ++++++------------ 5 files changed, 257 insertions(+), 529 deletions(-) diff --git a/app/package-lock.json b/app/package-lock.json index 590a918e8..491a14f12 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -21,6 +21,7 @@ "collapse-whitespace": "^1.1.6", "debug": "github:emorikawa/debug#nylas", "deep-extend": "0.6.0", + "dompurify": "^3.0.8", "emoji-data": "^0.2.0", "enzyme": "^3.8.0", "enzyme-adapter-react-16": "^1.9.0", @@ -1154,6 +1155,11 @@ "url": "https://github.com/fb55/domhandler?sponsor=1" } }, + "node_modules/dompurify": { + "version": "3.0.8", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.8.tgz", + "integrity": "sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==" + }, "node_modules/domutils": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.1.0.tgz", @@ -5937,6 +5943,11 @@ "domelementtype": "^2.3.0" } }, + "dompurify": { + "version": "3.0.8", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.8.tgz", + "integrity": "sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==" + }, "domutils": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.1.0.tgz", diff --git a/app/package.json b/app/package.json index 31fc9ea7e..27960cb14 100644 --- a/app/package.json +++ b/app/package.json @@ -11,9 +11,9 @@ "license": "GPL-3.0", "main": "./src/browser/main.js", "dependencies": { - "app-module-path": "^2.2.0", "@bengotow/slate-edit-list": "github:bengotow/slate-edit-list#b868e108", "@electron/remote": "^2.0.9", + "app-module-path": "^2.2.0", "better-sqlite3": "^8.0.1", "cheerio": "^1.0.0-rc.6", "chromium-net-errors": "1.0.3", @@ -23,6 +23,7 @@ "collapse-whitespace": "^1.1.6", "debug": "github:emorikawa/debug#nylas", "deep-extend": "0.6.0", + "dompurify": "^3.0.8", "emoji-data": "^0.2.0", "enzyme": "^3.8.0", "enzyme-adapter-react-16": "^1.9.0", diff --git a/app/src/flux/stores/draft-factory.ts b/app/src/flux/stores/draft-factory.ts index ae81948ba..61b17f8d3 100644 --- a/app/src/flux/stores/draft-factory.ts +++ b/app/src/flux/stores/draft-factory.ts @@ -50,7 +50,7 @@ class DraftFactory { // Be sure to match over multiple lines with [\s\S]* // Regex explanation here: https://regex101.com/r/vO6eN2/1 let transformed = (content || '').replace(cidRegexp, ''); - transformed = await SanitizeTransformer.run(transformed, SanitizeTransformer.Preset.UnsafeOnly); + transformed = await SanitizeTransformer.run(transformed); transformed = await InlineStyleTransformer.run(transformed); return transformed; } @@ -259,8 +259,8 @@ class DraftFactory { ` : `\n\n---------- ${localized('Forwarded Message')} ---------\n\n${fields.join( - '\n' - )}\n\n${body}`, + '\n' + )}\n\n${body}`, }); } diff --git a/app/src/flux/stores/message-body-processor.ts b/app/src/flux/stores/message-body-processor.ts index b15587273..0e9cfd98a 100644 --- a/app/src/flux/stores/message-body-processor.ts +++ b/app/src/flux/stores/message-body-processor.ts @@ -168,7 +168,7 @@ class MessageBodyProcessor { // Sanitizing