Merge pull request #4116 from maxceem/hotfix/sanitize-message-html

RishiRajSahu · web-flow · commit 6d1da9a5853f · 2020-09-10T12:46:24.000+05:30
[HOTFIX] [PROD] Sanitze message text HTML
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -147,7 +147,8 @@
     "redux-promise-middleware": "4.2.1",
     "redux-segment": "^1.6.2",
     "redux-thunk": "^2.1.0",
-    "remarkable": "^1.7.1",
+    "remarkable": "^1.7.4",
+    "sanitize-html": "^1.27.4",
     "svg-react-loader": "^0.4.5",
     "tc-accounts": "git+https://github.com/appirio-tech/accounts-app.git#v1.0.4",
     "tc-ui": "git+https://github.com/appirio-tech/tc-ui.git#feature/connectv2",
diff --git a/src/helpers/markdownToState.js b/src/helpers/markdownToState.js
@@ -1,4 +1,5 @@
 import {convertFromRaw} from 'draft-js'
+import sanitizeHtml from 'sanitize-html'
 const Remarkable = require('remarkable')
 
 // Block level items, key is Remarkable's key for them, value returned is
@@ -218,7 +219,11 @@ export function markdownToHTML(markdown) {
     // typographer: true,
   })
   // Replace the BBCode [u][/u] to markdown '++' for underline style
-  const _markdown = markdown.replace(new RegExp('\\[/?u\\]', 'g'), '++')
+  let _markdown = markdown.replace(new RegExp('\\[/?u\\]', 'g'), '++')
+  _markdown = sanitizeHtml(_markdown, {
+    allowedTags: [ 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b', 'i', 'strong', 'em', 'strike', 'abbr', 'code', 'br', 'pre' ],
+    disallowedTagsMode: 'escape'
+  })
   return md.render(_markdown, {}) // remarkable js takes markdown and makes it an array of style objects for us to easily parse
 }
 
