Merge pull request microsoft#259608 from mjbvz/overseas-cobra

Move replaceWithPlaintext into domSanitize

Author: mjbvz

src/vs/base/browser/domSanitize.ts

@@ -184,9 +184,15 @@ export interface DomSanitizerConfig {
 		readonly override?: readonly string[];
 	};
 
+	/**
+	 * If set, replaces unsupported tags with their plaintext representation instead of removing them.
+	 *
+	 * For example, <p><bad>"text"</bad></p> becomes <p>"<bad>text</bad>"</p>.
+	 */
+	readonly replaceWithPlaintext?: boolean;
+
 	// TODO: move these into more controlled api
 	readonly _do_not_use_hooks?: {
-		readonly uponSanitizeElement?: UponSanitizeElementCb;
 		readonly uponSanitizeAttribute?: UponSanitizeAttributeCb;
 	};
 }
@@ -238,8 +244,8 @@ export function sanitizeHtml(untrusted: string, config?: DomSanitizerConfig): Tr
 			config?.allowedLinkProtocols?.override ?? [Schemas.http, Schemas.https],
 			config?.allowedMediaProtocols?.override ?? [Schemas.http, Schemas.https]));
 
-		if (config?._do_not_use_hooks?.uponSanitizeElement) {
-			store.add(addDompurifyHook('uponSanitizeElement', config?._do_not_use_hooks.uponSanitizeElement));
+		if (config?.replaceWithPlaintext) {
+			store.add(addDompurifyHook('uponSanitizeElement', replaceWithPlainTextHook));
 		}
 
 		if (config?._do_not_use_hooks?.uponSanitizeAttribute) {
@@ -255,6 +261,56 @@ export function sanitizeHtml(untrusted: string, config?: DomSanitizerConfig): Tr
 	}
 }
 
+const selfClosingTags = ['area', 'base', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr'];
+
+function replaceWithPlainTextHook(element: Element, data: dompurify.SanitizeElementHookEvent, _config: dompurify.Config) {
+	if (!data.allowedTags[data.tagName] && data.tagName !== 'body') {
+		const replacement = convertTagToPlaintext(element);
+		if (element.nodeType === Node.COMMENT_NODE) {
+			// Workaround for https://github.com/cure53/DOMPurify/issues/1005
+			// The comment will be deleted in the next phase. However if we try to remove it now, it will cause
+			// an exception. Instead we insert the text node before the comment.
+			element.parentElement?.insertBefore(replacement, element);
+		} else {
+			element.parentElement?.replaceChild(replacement, element);
+		}
+	}
+}
+
+export function convertTagToPlaintext(element: Element): DocumentFragment {
+	let startTagText: string;
+	let endTagText: string | undefined;
+	if (element.nodeType === Node.COMMENT_NODE) {
+		startTagText = `<!--${element.textContent}-->`;
+	} else {
+		const tagName = element.tagName.toLowerCase();
+		const isSelfClosing = selfClosingTags.includes(tagName);
+		const attrString = element.attributes.length ?
+			' ' + Array.from(element.attributes)
+				.map(attr => `${attr.name}="${attr.value}"`)
+				.join(' ')
+			: '';
+		startTagText = `<${tagName}${attrString}>`;
+		if (!isSelfClosing) {
+			endTagText = `</${tagName}>`;
+		}
+	}
+
+	const fragment = document.createDocumentFragment();
+	const textNode = element.ownerDocument.createTextNode(startTagText);
+	fragment.appendChild(textNode);
+	while (element.firstChild) {
+		fragment.appendChild(element.firstChild);
+	}
+
+	const endTagTextNode = endTagText ? element.ownerDocument.createTextNode(endTagText) : undefined;
+	if (endTagTextNode) {
+		fragment.appendChild(endTagTextNode);
+	}
+
+	return fragment;
+}
+
 /**
  * Sanitizes the given `value` and reset the given `node` with it.
  */

src/vs/base/browser/markdownRenderer.ts

@@ -20,6 +20,7 @@ import { escape } from '../common/strings.js';
 import { URI } from '../common/uri.js';
 import * as DOM from './dom.js';
 import * as domSanitize from './domSanitize.js';
+import { convertTagToPlaintext } from './domSanitize.js';
 import { DomEmitter } from './event.js';
 import { FormattedTextRenderOptions } from './formattedTextRenderer.js';
 import { StandardKeyboardEvent } from './keyboardEvent.js';
@@ -211,6 +212,20 @@ export function renderMarkdown(markdown: IMarkdownString, options: MarkdownRende
 		}));
 	}
 
+	// Remove/disable inputs
+	for (const input of [...element.getElementsByTagName('input')]) {
+		if (input.attributes.getNamedItem('type')?.value === 'checkbox') {
+			input.setAttribute('disabled', '');
+		} else {
+			if (options.sanitizerConfig?.replaceWithPlaintext) {
+				const replacement = convertTagToPlaintext(input);
+				input.parentElement?.replaceChild(replacement, input);
+			} else {
+				input.remove();
+			}
+		}
+	}
+
 	return {
 		element,
 		dispose: () => {
@@ -412,15 +427,12 @@ function resolveWithBaseUri(baseUri: URI, href: string): string {
 	}
 }
 
-
-const selfClosingTags = ['area', 'base', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr'];
-
 function sanitizeRenderedMarkdown(
 	renderedMarkdown: string,
 	isTrusted: boolean | MarkdownStringTrustedOptions,
 	options: MarkdownSanitizerConfig = {},
 ): TrustedHTML {
-	const sanitizerConfig = getSanitizerOptions(isTrusted, options);
+	const sanitizerConfig = getDomSanitizerConfig(isTrusted, options);
 	return domSanitize.sanitizeHtml(renderedMarkdown, sanitizerConfig);
 }
 
@@ -452,6 +464,7 @@ export const allowedMarkdownHtmlAttributes = [
 	'type',
 	'width',
 	'start',
+	'value',
 
 	// Custom markdown attributes
 	'data-code',
@@ -462,7 +475,7 @@ export const allowedMarkdownHtmlAttributes = [
 	'class',
 ];
 
-function getSanitizerOptions(isTrusted: boolean | MarkdownStringTrustedOptions, options: MarkdownSanitizerConfig): domSanitize.DomSanitizerConfig {
+function getDomSanitizerConfig(isTrusted: boolean | MarkdownStringTrustedOptions, options: MarkdownSanitizerConfig): domSanitize.DomSanitizerConfig {
 	const allowedLinkSchemes = [
 		Schemas.http,
 		Schemas.https,
@@ -507,6 +520,7 @@ function getSanitizerOptions(isTrusted: boolean | MarkdownStringTrustedOptions,
 				Schemas.vscodeRemoteResource,
 			]
 		},
+		replaceWithPlaintext: options.replaceWithPlaintext,
 		_do_not_use_hooks: {
 			uponSanitizeAttribute: (element, e) => {
 				if (options.customAttrSanitizer) {
@@ -545,61 +559,6 @@ function getSanitizerOptions(isTrusted: boolean | MarkdownStringTrustedOptions,
 					e.keepAttr = false;
 				}
 			},
-			uponSanitizeElement: (element, e) => {
-				let wantsReplaceWithPlaintext = false;
-				if (e.tagName === 'input') {
-					if (element.attributes.getNamedItem('type')?.value === 'checkbox') {
-						element.setAttribute('disabled', '');
-					} else if (options.replaceWithPlaintext) {
-						wantsReplaceWithPlaintext = true;
-					} else {
-						element.remove();
-						return;
-					}
-				}
-
-				if (options.replaceWithPlaintext && (wantsReplaceWithPlaintext || (!e.allowedTags[e.tagName] && e.tagName !== 'body'))) {
-					if (element.parentElement) {
-						let startTagText: string;
-						let endTagText: string | undefined;
-						if (e.tagName === '#comment') {
-							startTagText = `<!--${element.textContent}-->`;
-						} else {
-							const isSelfClosing = selfClosingTags.includes(e.tagName);
-							const attrString = element.attributes.length ?
-								' ' + Array.from(element.attributes)
-									.map(attr => `${attr.name}="${attr.value}"`)
-									.join(' ')
-								: '';
-							startTagText = `<${e.tagName}${attrString}>`;
-							if (!isSelfClosing) {
-								endTagText = `</${e.tagName}>`;
-							}
-						}
-
-						const fragment = document.createDocumentFragment();
-						const textNode = element.parentElement.ownerDocument.createTextNode(startTagText);
-						fragment.appendChild(textNode);
-						const endTagTextNode = endTagText ? element.parentElement.ownerDocument.createTextNode(endTagText) : undefined;
-						while (element.firstChild) {
-							fragment.appendChild(element.firstChild);
-						}
-
-						if (endTagTextNode) {
-							fragment.appendChild(endTagTextNode);
-						}
-
-						if (element.nodeType === Node.COMMENT_NODE) {
-							// Workaround for https://github.com/cure53/DOMPurify/issues/1005
-							// The comment will be deleted in the next phase. However if we try to remove it now, it will cause
-							// an exception. Instead we insert the text node before the comment.
-							element.parentElement.insertBefore(fragment, element);
-						} else {
-							element.parentElement.replaceChild(fragment, element);
-						}
-					}
-				}
-			}
 		}
 	};
 }

src/vs/base/test/browser/domSanitize.test.ts

@@ -113,4 +113,65 @@ suite('DomSanitize', () => {
 
 		assert.ok(str.includes('src="data:image/png;base64,'));
 	});
+
+	suite('replaceWithPlaintext', () => {
+
+		test('replaces unsupported tags with plaintext representation', () => {
+			const html = '<div>safe<script>alert(1)</script>content</div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			const str = result.toString();
+			assert.strictEqual(str, `<div>safe&lt;script&gt;alert(1)&lt;/script&gt;content</div>`);
+		});
+
+		test('handles self-closing tags correctly', () => {
+			const html = '<div><input type="text"><custom-input /></div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			assert.strictEqual(result.toString(), '<div>&lt;input type="text"&gt;&lt;custom-input&gt;&lt;/custom-input&gt;</div>');
+		});
+
+		test('handles tags with attributes', () => {
+			const html = '<div><unknown-tag class="test" id="myid">content</unknown-tag></div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			assert.strictEqual(result.toString(), '<div>&lt;unknown-tag class="test" id="myid"&gt;content&lt;/unknown-tag&gt;</div>');
+		});
+
+		test('handles nested unsupported tags', () => {
+			const html = '<div><outer><inner>nested</inner></outer></div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			assert.strictEqual(result.toString(), '<div>&lt;outer&gt;&lt;inner&gt;nested&lt;/inner&gt;&lt;/outer&gt;</div>');
+		});
+
+		test('handles comments correctly', () => {
+			const html = '<div><!-- this is a comment -->content</div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			assert.strictEqual(result.toString(), '<div>&lt;!-- this is a comment --&gt;content</div>');
+		});
+
+		test('handles empty tags', () => {
+			const html = '<div><empty></empty></div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true
+			});
+			assert.strictEqual(result.toString(), '<div>&lt;empty&gt;&lt;/empty&gt;</div>');
+		});
+
+		test('works with custom allowed tags configuration', () => {
+			const html = '<div><custom>allowed</custom><forbidden>not allowed</forbidden></div>';
+			const result = sanitizeHtml(html, {
+				replaceWithPlaintext: true,
+				allowedTags: { augment: ['custom'] }
+			});
+			assert.strictEqual(result.toString(), '<div><custom>allowed</custom>&lt;forbidden&gt;not allowed&lt;/forbidden&gt;</div>');
+		});
+	});
 });