From 9344fd78d8bb12d962308a7974edaa6a665e3049 Mon Sep 17 00:00:00 2001
From: Sander Steenhuis <redsandro@gmail.com>
Date: Sun, 4 Mar 2018 17:27:58 +0100
Subject: [PATCH] Remove xss attack; closes #1443 at least partially

---
 browser/lib/markdown-it-sanitize-html.js | 23 +++++++++++++++++++++++
 browser/lib/markdown.js                  | 11 +++++++++++
 package.json                             |  1 +
 3 files changed, 35 insertions(+)
 create mode 100644 browser/lib/markdown-it-sanitize-html.js

diff --git a/browser/lib/markdown-it-sanitize-html.js b/browser/lib/markdown-it-sanitize-html.js
new file mode 100644
index 00000000..beec9566
--- /dev/null
+++ b/browser/lib/markdown-it-sanitize-html.js
@@ -0,0 +1,23 @@
+'use strict'
+
+import sanitizeHtml from 'sanitize-html'
+
+module.exports = function sanitizePlugin (md, options) {
+  options = options || {}
+
+  md.core.ruler.after('linkify', 'sanitize_inline', state => {
+    for (let tokenIdx = 0; tokenIdx < state.tokens.length; tokenIdx++) {
+      if (state.tokens[tokenIdx].type === 'html_block') {
+        state.tokens[tokenIdx].content = sanitizeHtml(state.tokens[tokenIdx].content, options)
+      }
+      if (state.tokens[tokenIdx].type === 'inline') {
+        const inlineTokens = state.tokens[tokenIdx].children
+        for (let childIdx = 0; childIdx < inlineTokens.length; childIdx++) {
+          if (inlineTokens[childIdx].type === 'html_inline') {
+            inlineTokens[childIdx].content = sanitizeHtml(inlineTokens[childIdx].content, options)
+          }
+        }
+      }
+    }
+  })
+}
diff --git a/browser/lib/markdown.js b/browser/lib/markdown.js
index d0801a1b..5184ce16 100644
--- a/browser/lib/markdown.js
+++ b/browser/lib/markdown.js
@@ -1,4 +1,5 @@
 import markdownit from 'markdown-it'
+import sanitize from './markdown-it-sanitize-html'
 import emoji from 'markdown-it-emoji'
 import math from '@rokt33r/markdown-it-math'
 import _ from 'lodash'
@@ -46,6 +47,16 @@ var md = markdownit({
       '</code></pre>'
   }
 })
+// Sanitize use rinput before other plugins
+md.use(sanitize, {
+  allowedTags: ['img', 'iframe'],
+  allowedAttributes: {
+    '*': ['alt', 'style'],
+    'img': ['src', 'height', 'width'],
+    'iframe': ['src']
+  },
+  allowedIframeHostnames: ['www.youtube.com']
+})
 md.use(emoji, {
   shortcuts: {}
 })
diff --git a/package.json b/package.json
index db2a9733..476e4b45 100644
--- a/package.json
+++ b/package.json
@@ -84,6 +84,7 @@
     "react-sortable-hoc": "^0.6.7",
     "redux": "^3.5.2",
     "sander": "^0.5.1",
+    "sanitize-html": "^1.18.2",
     "striptags": "^2.2.1",
     "superagent": "^1.2.0",
     "superagent-promise": "^1.0.3"