feat: markdown sanitization of form tag (#7146)

Author: tim-lai

src/core/components/providers/markdown.jsx

@@ -68,7 +68,7 @@ export function sanitizer(str, { useUnsafeMarkdown = false } = {}) {
 
   return DomPurify.sanitize(str, {
     ADD_ATTR: ["target"],
-    FORBID_TAGS: ["style"],
+    FORBID_TAGS: ["style", "form"],
     ALLOW_DATA_ATTR,
     FORBID_ATTR,
   })

test/unit/xss/markdown-script-sanitization.jsx

@@ -16,6 +16,12 @@ describe("Markdown Script Sanitization", function() {
       const el = render(<Markdown source={str} />)
       expect(el.html()).toEqual(`<div class="markdown"><p><img src="x"></p>\n</div>`)
     })
+
+    it("sanitizes <form> elements", function() {
+      const str = `"<form action='https://do.not.use.url/fake' method='post' action='java'><input type='email' id='email' placeholder='Email-address' name='email' value=''><button type='submit'>Login</button>"`
+      const el = render(<Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="markdown"><p>&quot;</p><input value name="email" placeholder="Email-address" id="email" type="email"><button type="submit">Login</button>&quot;<p></p>\n</div>`)
+    })
   })
 
   describe("OAS 3", function() {
@@ -30,5 +36,11 @@ describe("Markdown Script Sanitization", function() {
       const el = render(<OAS3Markdown source={str} />)
       expect(el.html()).toEqual(`<div class="renderedMarkdown"><p><img src="x"></p></div>`)
     })
+
+    it("sanitizes <form> elements", function () {
+      const str = `"<form action='https://do.not.use.url/fake' method='post' action='java'><input type='email' id='email' placeholder='Email-address' name='email' value=''><button type='submit'>Login</button>"`
+      const el = render(<OAS3Markdown source={str} />)
+      expect(el.html()).toEqual(`<div class="renderedMarkdown"><p>&quot;</p><input value name="email" placeholder="Email-address" id="email" type="email"><button type="submit">Login</button>&quot;<p></p></div>`)
+    })
   })
 })