From 39483f752298f8a718ef67752cc9641e525ffd2c Mon Sep 17 00:00:00 2001
From: bourgeoa <alain.bourgeois10@gmail.com>
Date: Wed, 8 Mar 2023 16:20:40 +0100
Subject: [PATCH] sanitize markdown

---
 package-lock.json        | 11 +++++++++++
 package.json             |  1 +
 src/humanReadablePane.js |  6 ++++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 50203d9..3303111 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,6 +13,7 @@
         "activitystreams-pane": "0.6.10",
         "chat-pane": "2.4.22",
         "contacts-pane": "^2.6.9",
+        "dompurify": "^3.0.1",
         "folder-pane": "^2.4.24",
         "issue-pane": "2.4.16",
         "marked": "^4.2.12",
@@ -5802,6 +5803,11 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.1.tgz",
+      "integrity": "sha512-60tsgvPKwItxZZdfLmamp0MTcecCta3avOhsLgPZ0qcWt96OasFfhkeIRbJ6br5i0fQawT1/RBGB5L58/Jpwuw=="
+    },
     "node_modules/domutils": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz",
@@ -22075,6 +22081,11 @@
         "domelementtype": "^2.2.0"
       }
     },
+    "dompurify": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.1.tgz",
+      "integrity": "sha512-60tsgvPKwItxZZdfLmamp0MTcecCta3avOhsLgPZ0qcWt96OasFfhkeIRbJ6br5i0fQawT1/RBGB5L58/Jpwuw=="
+    },
     "domutils": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz",
diff --git a/package.json b/package.json
index 711ba75..9550d23 100644
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
     "activitystreams-pane": "0.6.10",
     "chat-pane": "2.4.22",
     "contacts-pane": "^2.6.9",
+    "dompurify": "^3.0.1",
     "folder-pane": "^2.4.24",
     "issue-pane": "2.4.16",
     "marked": "^4.2.12",
diff --git a/src/humanReadablePane.js b/src/humanReadablePane.js
index aecd041..0d70f98 100644
--- a/src/humanReadablePane.js
+++ b/src/humanReadablePane.js
@@ -6,6 +6,7 @@
 import { icons, ns } from 'solid-ui'
 import { Util } from 'rdflib'
 import { marked } from 'marked'
+import * as DOMPurify from 'dompurify'
 
 const humanReadablePane = {
   icon: icons.originalIconBase + 'tango/22-text-x-generic.png',
@@ -76,7 +77,7 @@ const humanReadablePane = {
     const cts = kb.fetcher.getHeader(subject.doc(), 'content-type')
     const ct = cts ? cts[0] : null
     if (ct) {
-      console.log('humanReadablePane: c-t:' + ct)
+      // console.log('humanReadablePane: c-t:' + ct)
     } else {
       console.log('humanReadablePane: unknown content-type?')
     }
@@ -92,7 +93,8 @@ const humanReadablePane = {
         const markdownText = response.responseText
         const lines = Math.min(30, markdownText.split(/\n/).length + 5)
         const res = marked.parse(markdownText)
-        frame.innerHTML = res
+        const clean = DOMPurify.sanitize(res)
+        frame.innerHTML = clean
         frame.setAttribute('class', 'doc')
         frame.setAttribute('style', `border: 1px solid; padding: 1em; height: ${lines}em; width: 800px; resize: both; overflow: auto;`)
       })