CB-4743 adds html sanitizer

dbeaver · Feb 27, 2024 · 00864bd · 00864bd
1 parent e27d5d1
commit 00864bd
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 1 deletion.
diff --git a/webapp/packages/core-utils/package.json b/webapp/packages/core-utils/package.json
@@ -21,6 +21,7 @@
     "@timohausmann/quadtree-ts": "2.0.0-beta.1",
     "@types/whatwg-mimetype": "^3.0.2",
     "clsx": "^2.0.0",
+    "dompurify": "^3.0.9",
     "fast-deep-equal": "^3.1.3",
     "md5": "^2.3.0",
     "mobx": "^6.12.0",
@@ -32,6 +33,7 @@
   },
   "peerDependencies": {},
   "devDependencies": {
+    "@types/dompurify": "^3.0.5",
     "@types/jest": "^29.5.10",
     "@types/md5": "~2.3.5",
     "@types/underscore": "^1.11.15",

diff --git a/webapp/packages/core-utils/src/index.ts b/webapp/packages/core-utils/src/index.ts
@@ -76,3 +76,4 @@ export * from './removeLineBreak';
 export * from './replaceSubstring';
 export * from './formatNumber';
 export * from './withTimestamp';
+export * from './sanitizeHtml';
diff --git a/webapp/packages/core-utils/src/sanitizeHtml.test.tsx b/webapp/packages/core-utils/src/sanitizeHtml.test.tsx
@@ -0,0 +1,35 @@
+import { sanitizeHtml } from './sanitizeHtml';
+
+describe('sanitize', () => {
+  it('should sanitize input', () => {
+    const input = '<script>alert("some unsafe action")</script>';
+    const output = sanitizeHtml(input);
+    expect(output).toBe('');
+  });
+
+  it('should sanitize input and keep safe tags', () => {
+    const input = '<div>qwe</div><script>alert("some unsafe action")</script><div>asd</div>';
+    const output = sanitizeHtml(input);
+    expect(output).toBe('<div>qwe</div><div>asd</div>');
+  });
+
+  it('should not sanitize safe input', () => {
+    const input = 'Hello, world!';
+    const output = sanitizeHtml(input);
+    expect(output).toBe(input);
+  });
+
+  it('should sanitize unsafe input', () => {
+    const input = '<img src="x" onerror="alert(1)">';
+    const output = sanitizeHtml(input);
+    expect(output).toBe('<img src="x">');
+  });
+
+  it('should sanitize unsafe input with attributes', () => {
+    const input = '<a href="javascript:alert(1)">click me</a>';
+    const output = sanitizeHtml(input);
+    expect(output).toBe('<a>click me</a>');
+  });
+
+  it('should sanitize unsafe input with attributes', () => {});
+});
diff --git a/webapp/packages/core-utils/src/sanitizeHtml.ts b/webapp/packages/core-utils/src/sanitizeHtml.ts
@@ -0,0 +1,14 @@
+/*
+ * CloudBeaver - Cloud Database Manager
+ * Copyright (C) 2020-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0.
+ * you may not use this file except in compliance with the License.
+ */
+import DOMPurify from 'dompurify';
+
+export function sanitizeHtml<T extends string | HTMLElement>(dirty: T): T extends string ? string : HTMLElement {
+  const purify = DOMPurify(window);
+
+  return purify.sanitize(dirty, {}) as T extends string ? string : HTMLElement;
+}
diff --git a/webapp/yarn.lock b/webapp/yarn.lock
@@ -4547,6 +4547,13 @@
   dependencies:
     "@types/ms" "*"
 
+"@types/dompurify@^3.0.5":
+  version "3.0.5"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-3.0.5.tgz#02069a2fcb89a163bacf1a788f73cb415dd75cb7"
+  integrity sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/eslint-scope@^3.7.3":
   version "3.7.7"
   resolved "https://registry.yarnpkg.com/@types/eslint-scope/-/eslint-scope-3.7.7.tgz#3108bd5f18b0cdb277c867b3dd449c9ed7079ac5"
@@ -4917,7 +4924,7 @@
   resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.5.tgz#cb6e2a691b70cb177c6e3ae9c1d2e8b2ea8cd304"
   integrity sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==
 
-"@types/trusted-types@^2.0.2":
+"@types/trusted-types@*", "@types/trusted-types@^2.0.2":
   version "2.0.7"
   resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.7.tgz#baccb07a970b91707df3a3e8ba6896c57ead2d11"
   integrity sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==
@@ -8287,6 +8294,11 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.1:
   dependencies:
     domelementtype "^2.2.0"
 
+dompurify@^3.0.9:
+  version "3.0.9"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.9.tgz#b3f362f24b99f53498c75d43ecbd784b0b3ad65e"
+  integrity sha512-uyb4NDIvQ3hRn6NiC+SIFaP4mJ/MdXlvtunaqK9Bn6dD3RuB/1S/gasEjDHD8eiaqdSael2vBv+hOs7Y+jhYOQ==
+
 domutils@^1.7.0:
   version "1.7.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"