feat: SEC-957 sanitize markdown (#72)

productboard · Nov 3, 2022 · 9298126 · 9298126 · vercel · Nov 3, 2022
1 parent 12e7e3d
commit 9298126
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 6 deletions.
diff --git a/package.json b/package.json
@@ -31,6 +31,7 @@
     "jsuri": "^1.3.0",
     "marked": "^4.0.10",
     "twemoji": "^13.1.0",
+    "xss": "^1.0.14",
     "xtend": "^4.0.1"
   },
   "devDependencies": {

diff --git a/src/transform.ts b/src/transform.ts
@@ -5,6 +5,7 @@ import is from 'is';
 import xtend from 'xtend';
 import { Colors } from './base';
 import { SafeString } from 'handlebars/runtime';
+import xss from 'xss';
 
 var DEFAULT_COLORS = {
   primary: '#ff4981',
@@ -101,10 +102,10 @@ export default function transform(options: TransformOptions) {
 
   return {
     intro: new SafeString(
-      marked(options.intro || t('INTRO'), { renderer: renderer })
+      xss(marked(options.intro || t('INTRO'), { renderer: renderer }))
     ),
     outro: new SafeString(
-      marked(options.outro || t('OUTRO'), { renderer: renderer })
+      xss(marked(options.outro || t('OUTRO'), { renderer: renderer }))
     ),
     question: t('HOW_LIKELY'),
     colors: colors,

diff --git a/src/transformV2.ts b/src/transformV2.ts
@@ -3,6 +3,7 @@ import is from 'is';
 import Uri from 'jsuri';
 import { marked } from 'marked';
 import twemoji from 'twemoji';
+import xss from 'xss';
 
 import {
   BaseTemplateOptions,
@@ -142,8 +143,8 @@ export function transformV2(options: TransformV2Options): TemplateV2Options {
 
   const direction = options.direction || 'ltr';
   const templateOptions: BaseTemplateOptions = {
-    intro: new SafeString(marked(options.intro, { renderer })),
-    outro: new SafeString(marked(options.outro, { renderer })),
+    intro: new SafeString(xss(marked(options.intro, { renderer }))),
+    outro: new SafeString(xss(marked(options.outro, { renderer }))),
     question: options.question.label,
     colors: {
       ...DEFAULT_COLORS,
@@ -164,7 +165,10 @@ export function transformV2(options: TransformV2Options): TemplateV2Options {
     botHoneypotUrl: options.botHoneypotUrl
   };
 
-  if (options.question.type === 'single-choice' || options.question.type === 'multiple-choice') {
+  if (
+    options.question.type === 'single-choice' ||
+    options.question.type === 'multiple-choice'
+  ) {
     const choices = options.question.choices.map((choice) => {
       return {
         label: choice,

diff --git a/stories/nps.ts b/stories/nps.ts
@@ -39,6 +39,12 @@ export const markdown = () =>
     outro: 'Bye **bye**'
   });
 
+export const introXss = () =>
+  renderV2({
+    ...nps,
+    intro: '<img src=x onerror=alert(document.domain)>PAYLOAD<img>'
+  });
+
 export const xss = () =>
   renderV2({
     ...nps,

diff --git a/yarn.lock b/yarn.lock
@@ -3193,7 +3193,7 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf"
   integrity sha512-wPMUt6FnH2yzG95SA6mzjQOEKUU3aLaDEmzs1ti+1E9h+CsrZghRlqEM/EJ4KscsQVG8uNN4uVreUeT8+drlgg==
 
-commander@^2.19.0, commander@^2.20.0, commander@~2.20.3:
+commander@^2.19.0, commander@^2.20.0, commander@^2.20.3, commander@~2.20.3:
   version "2.20.3"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
   integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@@ -3588,6 +3588,11 @@ cssesc@^3.0.0:
   resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
   integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
 
+[email protected]:
+  version "0.0.10"
+  resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.10.tgz#c6d2672632a2e5c83e013e6864a42ce8defd20ae"
+  integrity sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==
+
 csstype@^2.2.0, csstype@^2.5.7:
   version "2.6.7"
   resolved "https://registry.yarnpkg.com/csstype/-/csstype-2.6.7.tgz#20b0024c20b6718f4eda3853a1f5a1cce7f5e4a5"
@@ -10501,6 +10506,14 @@ write-file-atomic@^4.0.0, write-file-atomic@^4.0.1:
     imurmurhash "^0.1.4"
     signal-exit "^3.0.7"
 
+xss@^1.0.14:
+  version "1.0.14"
+  resolved "https://registry.yarnpkg.com/xss/-/xss-1.0.14.tgz#4f3efbde75ad0d82e9921cc3c95e6590dd336694"
+  integrity sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==
+  dependencies:
+    commander "^2.20.3"
+    cssfilter "0.0.10"
+
 xtend@^4.0.0, xtend@~4.0.1:
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"