From 13f9b2b509a4825b807fe54db309e01dc67d70af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20K=C5=82osko?= <jonatanklosko@gmail.com>
Date: Wed, 17 Feb 2021 17:16:16 +0100
Subject: [PATCH] Sanitize HTML rendered from Markdown (#39)

---
 assets/js/cell/markdown.js | 6 ++++--
 assets/package-lock.json   | 5 +++++
 assets/package.json        | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/assets/js/cell/markdown.js b/assets/js/cell/markdown.js
index 265c53fe2..cbcab9893 100644
--- a/assets/js/cell/markdown.js
+++ b/assets/js/cell/markdown.js
@@ -1,5 +1,6 @@
 import marked from "marked";
 import morphdom from "morphdom";
+import DOMPurify from 'dompurify';
 
 /**
  * Renders markdown content in the given container.
@@ -28,9 +29,10 @@ class Markdown {
 
   __getHtml() {
     const html = marked(this.content);
+    const sanitizedHtml = DOMPurify.sanitize(html);
 
-    if (html) {
-      return html;
+    if (sanitizedHtml) {
+      return sanitizedHtml;
     } else {
       return `
         <div class="text-gray-300">
diff --git a/assets/package-lock.json b/assets/package-lock.json
index f63e32765..26110455e 100644
--- a/assets/package-lock.json
+++ b/assets/package-lock.json
@@ -4109,6 +4109,11 @@
         }
       }
     },
+    "dompurify": {
+      "version": "2.2.6",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.2.6.tgz",
+      "integrity": "sha512-7b7ZArhhH0SP6W2R9cqK6RjaU82FZ2UPM7RO8qN1b1wyvC/NY1FNWcX1Pu00fFOAnzEORtwXe4bPaClg6pUybQ=="
+    },
     "domutils": {
       "version": "1.7.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz",
diff --git a/assets/package.json b/assets/package.json
index 84b0a1cb7..5b7e6cc8b 100644
--- a/assets/package.json
+++ b/assets/package.json
@@ -10,6 +10,7 @@
     "test:watch": "jest"
   },
   "dependencies": {
+    "dompurify": "^2.2.6",
     "marked": "^1.2.8",
     "monaco-editor": "^0.21.2",
     "morphdom": "^2.6.1",