Introduce sanitizeHtml to sanitize markdown content (#6523)

* Introduce dompurify to sanitize markdown content

* Add changelog item

* Move from dompurifiy to smaller sanitize-html package

* Remove marked from webapp-markdown-editor as it is already present in web-runtime

* Use sanitizer in markdown-editor

* Fix import of marked

* Update changelog item

changelog/unreleased/bugfix-space-description-xss-vulnerabilities

@@ -0,0 +1,6 @@
+Bugfix: Prevent cross-site scripting attack while displaying space description
+
+We've added a new package that strips out possible XSS attack code while displaying the space description
+
+https://github.com/owncloud/web/pull/6523
+https://github.com/owncloud/web/issues/6526

packages/web-app-files/src/views/spaces/Project.vue

@@ -133,7 +133,8 @@ import ListLoader from '../../components/FilesList/ListLoader.vue'
 import { computed, ref, unref } from '@vue/composition-api'
 import { useTask } from 'vue-concurrency'
 import { useStore, useRouter, useRouteQuery } from 'web-pkg/src/composables'
-import marked from 'marked'
+import { marked } from 'marked'
+import sanitizeHtml from 'sanitize-html'
 import MixinAccessibleBreadcrumb from '../../mixins/accessibleBreadcrumb'
 import { bus } from 'web-pkg/src/instance'
 import { buildResource, buildSpace, buildWebDavSpacesPath } from '../../helpers/resources'
@@ -365,8 +366,9 @@ export default {
             if (this.markdownResizeObserver && this.$refs.markdownContainer) {
               this.markdownResizeObserver.unobserve(this.$refs.markdownContainer)
             }
-
-            this.markdownContent = marked.parse(fileContents)
+            const parsedMarkdown = marked.parse(fileContents)
+            // Sanitize markdown content to prevent XSS vulnerabilities
+            this.markdownContent = sanitizeHtml(parsedMarkdown)
 
             if (this.markdownContent) {
               this.markdownResizeObserver.observe(this.$refs.markdownContainer)

packages/web-app-markdown-editor/package.json

@@ -2,8 +2,5 @@
   "name": "markdown-editor",
   "version": "0.0.0",
   "description": "ownCloud web markdown-editor",
-  "license": "AGPL-3.0",
-  "dependencies": {
-    "marked": "^3.0.0"
-  }
+  "license": "AGPL-3.0"
 }

packages/web-app-markdown-editor/src/App.vue

@@ -37,7 +37,8 @@
 <script>
 import MarkdownEditorAppBar from './MarkdownEditorAppBar.vue'
 import { useAppDefaults } from 'web-pkg/src/composables'
-import marked from 'marked'
+import { marked } from 'marked'
+import sanitizeHtml from 'sanitize-html'
 import { useTask } from 'vue-concurrency'
 import { computed, getCurrentInstance, onMounted, ref, unref } from '@vue/composition-api'
 
@@ -86,7 +87,7 @@ export default {
     }
 
     const renderedMarkdown = computed(() => {
-      return unref(currentContent) ? marked(unref(currentContent), { sanitize: true }) : null
+      return unref(currentContent) ? sanitizeHtml(marked(unref(currentContent))) : null
     })
 
     const isDirty = computed(() => {

packages/web-runtime/package.json

@@ -16,6 +16,7 @@
     "fuse.js": "^6.5.3",
     "lodash-es": "^4.17.21",
     "luxon": "^2.3.0",
+    "marked": "^4.0.12",
     "oidc-client": "1.11.5",
     "owncloud-design-system": "^12.2.1",
     "owncloud-sdk": "~2.0.0",
@@ -26,6 +27,7 @@
     "postcss-url": "^9.0.0",
     "promise": "^8.0.3",
     "qs": "^6.10.3",
+    "sanitize-html": "^2.7.0",
     "semver": "^7.3.5",
     "tippy.js": "^6.3.7",
     "tus-js-client": "^2.3.1",

yarn.lock

@@ -6869,7 +6869,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"htmlparser2@npm:^6.1.0":
+"htmlparser2@npm:^6.0.0, htmlparser2@npm:^6.1.0":
   version: 6.1.0
   resolution: "htmlparser2@npm:6.1.0"
   dependencies:
@@ -7375,6 +7375,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"is-plain-object@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "is-plain-object@npm:5.0.0"
+  checksum: e32d27061eef62c0847d303125440a38660517e586f2f3db7c9d179ae5b6674ab0f469d519b2e25c147a1a3bc87156d0d5f4d8821e0ce4a9ee7fe1fcf11ce45c
+  languageName: node
+  linkType: hard
+
 "is-potential-custom-element-name@npm:^1.0.1":
   version: 1.0.1
   resolution: "is-potential-custom-element-name@npm:1.0.1"
@@ -8856,17 +8863,15 @@ __metadata:
 "markdown-editor@workspace:packages/web-app-markdown-editor":
   version: 0.0.0-use.local
   resolution: "markdown-editor@workspace:packages/web-app-markdown-editor"
-  dependencies:
-    marked: ^3.0.0
   languageName: unknown
   linkType: soft
 
-"marked@npm:^3.0.0":
-  version: 3.0.2
-  resolution: "marked@npm:3.0.2"
+"marked@npm:^4.0.12":
+  version: 4.0.12
+  resolution: "marked@npm:4.0.12"
   bin:
-    marked: bin/marked
-  checksum: 6f88083a7e50494f97af9f92f1b03a299ecde78055f7378dd0837f12aa2e192db84b7ed528d3e7008fd8d26d39f23a2a07af2a349899917171531574798563b5
+    marked: bin/marked.js
+  checksum: 7575117f85a8986652f3ac8b8a7b95056c4c5fce01a1fc76dc4c7960412cb4c9bd9da8133487159b6b3ff84f52b543dfe9a36f826a5f358892b5ec4b6824f192
   languageName: node
   linkType: hard
 
@@ -9176,6 +9181,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"nanoid@npm:^3.3.1":
+  version: 3.3.1
+  resolution: "nanoid@npm:3.3.1"
+  bin:
+    nanoid: bin/nanoid.cjs
+  checksum: 4ef0969e1bbe866fc223eb32276cbccb0961900bfe79104fa5abe34361979dead8d0e061410a5c03bc3d47455685adf32c09d6f27790f4a6898fb51f7df7ec86
+  languageName: node
+  linkType: hard
+
 "native-request@npm:^1.0.5":
   version: 1.0.8
   resolution: "native-request@npm:1.0.8"
@@ -9778,6 +9792,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"parse-srcset@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "parse-srcset@npm:1.0.2"
+  checksum: 3a0380380c6082021fcce982f0b89fb8a493ce9dfd7d308e5e6d855201e80db8b90438649b31fdd82a3d6089a8ca17dccddaa2b730a718389af4c037b8539ebf
+  languageName: node
+  linkType: hard
+
 "parse5-htmlparser2-tree-adapter@npm:^6.0.1":
   version: 6.0.1
   resolution: "parse5-htmlparser2-tree-adapter@npm:6.0.1"
@@ -10627,6 +10648,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"postcss@npm:^8.3.11":
+  version: 8.4.7
+  resolution: "postcss@npm:8.4.7"
+  dependencies:
+    nanoid: ^3.3.1
+    picocolors: ^1.0.0
+    source-map-js: ^1.0.2
+  checksum: a515ed36622edbee1d3ba153298d3b62ae9826dfa6de19204c2a6f975c8d3ad36808423b5119a9d82b78efd486de3ce35a1faf882a36ac8aa09492be4fbb7fe1
+  languageName: node
+  linkType: hard
+
 "prelude-ls@npm:^1.2.1":
   version: 1.2.1
   resolution: "prelude-ls@npm:1.2.1"
@@ -11777,6 +11809,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"sanitize-html@npm:^2.7.0":
+  version: 2.7.0
+  resolution: "sanitize-html@npm:2.7.0"
+  dependencies:
+    deepmerge: ^4.2.2
+    escape-string-regexp: ^4.0.0
+    htmlparser2: ^6.0.0
+    is-plain-object: ^5.0.0
+    parse-srcset: ^1.0.2
+    postcss: ^8.3.11
+  checksum: 73a4d66f69578bace3506519ca0734279b7117e15c33c7e4d075cdb483b1586261a18acd35934f6c6109f3b2a4a82f82c242171a94d5dc23fba5b09b01ea5b22
+  languageName: node
+  linkType: hard
+
 "sass@npm:^1.18.0, sass@npm:^1.29.0":
   version: 1.35.1
   resolution: "sass@npm:1.35.1"
@@ -12040,6 +12086,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"source-map-js@npm:^1.0.2":
+  version: 1.0.2
+  resolution: "source-map-js@npm:1.0.2"
+  checksum: c049a7fc4deb9a7e9b481ae3d424cc793cb4845daa690bc5a05d428bf41bf231ced49b4cf0c9e77f9d42fdb3d20d6187619fc586605f5eabe995a316da8d377c
+  languageName: node
+  linkType: hard
+
 "source-map-resolve@npm:^0.5.2":
   version: 0.5.3
   resolution: "source-map-resolve@npm:0.5.3"
@@ -13550,6 +13603,7 @@ __metadata:
     fuse.js: ^6.5.3
     lodash-es: ^4.17.21
     luxon: ^2.3.0
+    marked: ^4.0.12
     oidc-client: 1.11.5
     owncloud-design-system: ^12.2.1
     owncloud-sdk: ~2.0.0
@@ -13560,6 +13614,7 @@ __metadata:
     postcss-url: ^9.0.0
     promise: ^8.0.3
     qs: ^6.10.3
+    sanitize-html: ^2.7.0
     semver: ^7.3.5
     tippy.js: ^6.3.7
     tus-js-client: ^2.3.1