fix #8541 - whitelist youtube (and vimeo) videos on the share server (and in timetravel)

- I did this by switching from xss to sanitize-html, which seems to be a
  lot cleaner and easier to use, just as popular, updated more recently, etc.

Author: williamstein

src/packages/frontend/components/html-ssr.tsx

@@ -17,59 +17,18 @@ import React from "react";
 import htmlReactParser, {
   attributesToProps,
   domToReact,
-  Element, Text
+  Element,
+  Text,
 } from "html-react-parser";
-import stripXSS, { safeAttrValue, whiteList } from "xss";
-import type { IFilterXSSOptions } from "xss";
+import sanitizeHtml from "sanitize-html";
 import { useFileContext } from "@cocalc/frontend/lib/file-context";
 import DefaultMath from "@cocalc/frontend/components/math/ssr";
 import { MathJaxConfig } from "@cocalc/util/mathjax-config";
 import { decodeHTML } from "entities";
 
 const URL_ATTRIBS = ["src", "href", "data"];
-
 const MATH_SKIP_TAGS = new Set<string>(MathJaxConfig.tex2jax.skipTags);
 
-function getXSSOptions(urlTransform): IFilterXSSOptions | undefined {
-  // - stripIgnoreTagBody - completely get rid of dangerous HTML
-  //   (otherwise user sees weird mangled style code, when seeing
-  //   nothing would be better).
-  // - whiteList - we need iframes to support 3d graphics; unfortunately this
-  //   isn't safe without a lot more work, so we do NOT enable them.
-  return {
-    stripIgnoreTagBody: true,
-    // SECURITY: whitelist note -- we had tried to explicitly allow mathjax script tags in sanitized html
-    // by whitelisting and scanning.  However, this didn't properly work (perhaps due to some update)
-    // and resulted in a security vulnerability:
-    //    https://github.com/sagemathinc/cocalc/security/advisories/GHSA-8w44-hggw-p5rf
-    // The fix is completley removing any whitelisting of any script tags.  The feature of
-    // mathjax in html is not important enough to support, and too dangerous -- even if it worked,
-    // it would probably be an easy attack vector by just making up fake mathjax.
-    // Due to https://github.com/sagemathinc/cocalc/security/advisories/GHSA-jpjc-pwjv-j9mg
-    // we also remove all use of iframes, which
-    whiteList: {
-      ...whiteList,
-      // DISABLED due to https://github.com/sagemathinc/cocalc/security/advisories/GHSA-jpjc-pwjv-j9mg
-      // iframe: ["src", "srcdoc", "width", "height"],
-      iframe: [],
-      html: [],
-    },
-    safeAttrValue: (tag, name, value) => {
-      // disabled since not sufficiently secure.
-      //       if (tag == "iframe" && name == "srcdoc") {
-      //         // important not to mangle this or it won't work.
-      //         return value;
-      //       }
-      if (urlTransform && URL_ATTRIBS.includes(name)) {
-        // use the url transform
-        return urlTransform(value, tag, name) ?? value;
-      }
-      // fallback to the builtin version
-      return safeAttrValue(tag, name, value, false as any);
-    },
-  };
-}
-
 export default function HTML({
   value,
   style,
@@ -82,7 +41,30 @@ export default function HTML({
   const { urlTransform, AnchorTagComponent, noSanitize, MathComponent } =
     useFileContext();
   if (!noSanitize) {
-    value = stripXSS(value, getXSSOptions(urlTransform));
+    value = sanitizeHtml(value, {
+      allowedTags: sanitizeHtml.defaults.allowedTags.concat(["img", "iframe"]),
+      allowedAttributes: {
+        ...sanitizeHtml.defaults.allowedAttributes,
+        iframe: [
+          "src",
+          "width",
+          "height",
+          "title",
+          "allow",
+          "allowfullscreen",
+          "referrerpolicy",
+          "loading",
+          "frameborder",
+        ],
+      },
+      allowedIframeHostnames: [
+        "www.youtube.com",
+        "youtube.com",
+        "www.youtube-nocookie.com",
+        "youtube-nocookie.com",
+        "player.vimeo.com",
+      ],
+    });
   }
   if (value.trimLeft().startsWith("<html>")) {
     // Sage output formulas are wrapped in "<html>" for some stupid reason, which
@@ -143,28 +125,6 @@ export default function HTML({
           </AnchorTagComponent>
         );
       }
-      if (name == "iframe") {
-        // We sandbox and minimize what we allow.  Don't
-        // use {...attribs} due to srcDoc vs srcdoc.
-        // We don't allow setting the style, since that leads
-        // to a lot of attacks (i.e., making the iframe move in a
-        // sneaky way).  We have to allow-same-origin or scripts
-        // won't work at all, which is one of the main uses for
-        // iframes.  A good test is 3d graphics in Sage kernel
-        // Jupyter notebooks.
-        // TODO: Except this is a security issue, since
-        // combining allow-scripts & allow-same-origin makes it
-        // possible to remove a lot of sandboxing.
-        return (
-          <iframe
-            src={attribs.src}
-            srcDoc={attribs.srcdoc}
-            width={attribs.width}
-            height={attribs.height}
-            sandbox="allow-forms allow-scripts allow-same-origin"
-          />
-        );
-      }
 
       if (noSanitize && urlTransform != null && attribs != null) {
         // since we did not sanitize the HTML (which also does urlTransform),

src/packages/frontend/components/youtube-embed-allowlist.ts

@@ -0,0 +1,39 @@
+export function parseYouTubeEmbedId(src: string): string | null {
+  try {
+    const u = new URL(src, "https://dummy.example"); // handle relative
+    if (u.protocol !== "https:") return null;
+
+    const host = u.hostname.toLowerCase();
+    const allowedHosts = new Set([
+      "www.youtube.com",
+      "youtube.com",
+      "www.youtube-nocookie.com",
+      "youtube-nocookie.com",
+    ]);
+
+    if (!allowedHosts.has(host)) return null;
+
+    // Only allow /embed/<VIDEO_ID> (11-char ID)
+    const m = u.pathname.match(/^\/embed\/([a-zA-Z0-9_-]{11})$/);
+    if (!m) return null;
+    return m[1]; // the 11-char video id
+  } catch {
+    return null;
+  }
+}
+
+export function buildSafeYouTubeIframeHTML(
+  videoId: string,
+  opts?: { width?: string; height?: string; title?: string },
+): string {
+  const width =
+    opts?.width && /^\d{1,4}$/.test(opts.width) ? opts.width : "560";
+  const height =
+    opts?.height && /^\d{1,4}$/.test(opts.height) ? opts.height : "315";
+  const title = (opts?.title ?? "YouTube video player").replace(/"/g, "&quot;");
+
+  // Force privacy-enhanced domain and a tight, fixed attribute set
+  const src = `https://www.youtube-nocookie.com/embed/${videoId}`;
+
+  return `<iframe width="${width}" height="${height}" src="${src}" title="${title}" frameborder="0" loading="lazy" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>`;
+}

src/packages/frontend/package.json

@@ -135,6 +135,7 @@
     "react-redux": "^9.2.0",
     "react-timeago": "^8.2.0",
     "react-virtuoso": "^4.9.0",
+    "sanitize-html": "^2.17.0",
     "slate": "^0.103.0",
     "superb": "^3.0.0",
     "three-ancient": "npm:three@=0.78.0",
@@ -145,7 +146,6 @@
     "use-resize-observer": "^9.1.0",
     "utility-types": "^3.10.0",
     "video-extensions": "^1.2.0",
-    "xss": "^1.0.11",
     "zlibjs": "^0.3.1"
   },
   "devDependencies": {