From bc7a4cf8c514d5d06605f05dc10aafc0b1123752 Mon Sep 17 00:00:00 2001
From: Eva <evauwu@riseup.net>
Date: Thu, 27 Mar 2025 00:59:18 +0100
Subject: [PATCH] client/markdown: prevent arbitrary tags Introduced in
 0137cf383a81e0a2a0f5db7c2ded4b4a55c5e2fc, anywhere that allows markdown e.g.
 comments allowed any arbitrary tag that wasn't explicitly banned by
 DOMPurify, since it cannot know whether it came from our Markdown renderer or
 from the user. People could add arbitrary <style> tags that mess with the
 page, <button>s etc. It did not lead to XSS since DOMPurify strips it, but
 still unacceptable. escapeHtml is identical to the old behavior of marked.js
 sanitize=true

---
 client/js/util/markdown.js | 27 ++++++++++++++-------------
 client/js/util/misc.js     | 12 +-----------
 2 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/client/js/util/markdown.js b/client/js/util/markdown.js
index e71e3263..2a1b2d0e 100644
--- a/client/js/util/markdown.js
+++ b/client/js/util/markdown.js
@@ -110,24 +110,22 @@ class StrikeThroughWrapper extends BaseMarkdownWrapper {
     }
 }
 
-function createRenderer() {
-    function sanitize(str) {
-        return str.replace(/&<"/g, (m) => {
-            if (m === "&") {
-                return "&amp;";
-            }
-            if (m === "<") {
-                return "&lt;";
-            }
-            return "&quot;";
-        });
-    }
+function escapeHtml(unsafe) {
+    return unsafe
+        .toString()
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&apos;");
+}
 
+function createRenderer() {
     const renderer = new marked.Renderer();
     renderer.image = (href, title, alt) => {
         let [_, url, width, height] =
             /^(.+?)(?:\s=\s*(\d*)\s*x\s*(\d*)\s*)?$/.exec(href);
-        let res = '<img src="' + sanitize(url) + '" alt="' + sanitize(alt);
+        let res = '<img src="' + escapeHtml(url) + '" alt="' + escapeHtml(alt);
         if (width) {
             res += '" width="' + width;
         }
@@ -156,6 +154,7 @@ function formatMarkdown(text) {
         new SmallWrapper(),
         new StrikeThroughWrapper(),
     ];
+    text = escapeHtml(text);
     for (let wrapper of wrappers) {
         text = wrapper.preprocess(text);
     }
@@ -182,6 +181,7 @@ function formatInlineMarkdown(text) {
         new SmallWrapper(),
         new StrikeThroughWrapper(),
     ];
+    text = escapeHtml(text);
     for (let wrapper of wrappers) {
         text = wrapper.preprocess(text);
     }
@@ -196,4 +196,5 @@ function formatInlineMarkdown(text) {
 module.exports = {
     formatMarkdown: formatMarkdown,
     formatInlineMarkdown: formatInlineMarkdown,
+    escapeHtml: escapeHtml,
 };
diff --git a/client/js/util/misc.js b/client/js/util/misc.js
index 756ad84b..a794b046 100644
--- a/client/js/util/misc.js
+++ b/client/js/util/misc.js
@@ -156,16 +156,6 @@ function makeCssName(text, suffix) {
     return suffix + "-" + text.replace(/[^a-z0-9]/g, "_");
 }
 
-function escapeHtml(unsafe) {
-    return unsafe
-        .toString()
-        .replace(/&/g, "&amp;")
-        .replace(/</g, "&lt;")
-        .replace(/>/g, "&gt;")
-        .replace(/"/g, "&quot;")
-        .replace(/'/g, "&apos;");
-}
-
 function arraysDiffer(source1, source2, orderImportant) {
     source1 = [...source1];
     source2 = [...source2];
@@ -221,7 +211,7 @@ module.exports = {
     enableExitConfirmation: enableExitConfirmation,
     disableExitConfirmation: disableExitConfirmation,
     confirmPageExit: confirmPageExit,
-    escapeHtml: escapeHtml,
+    escapeHtml: markdown.escapeHtml,
     makeCssName: makeCssName,
     splitByWhitespace: splitByWhitespace,
     arraysDiffer: arraysDiffer,