Sanitize user/database-derived html properly before display (#1731)

* add dompurify and apply to all dangerouslySetInnerHTML

* ban img tags to keep behaviour the same

Author: bobular

packages/libs/coreui/package.json

@@ -33,6 +33,7 @@
   "dependencies": {
     "@react-hook/size": "^2.1.2",
     "core-js": "^3.25.3",
+    "dompurify": "^3.4.7",
     "lodash": "^4.17.21",
     "react-cool-dimensions": "^2.0.7",
     "react-draggable": "^4.4.5",

packages/libs/coreui/src/components/Mesa/Components/MesaTooltip.tsx

@@ -1,4 +1,5 @@
 import React, { CSSProperties } from 'react';
+import DOMPurify from 'dompurify';
 
 import { Tooltip } from '../../info/Tooltip';
 
@@ -54,7 +55,11 @@ const MesaTooltip = ({
     <Tooltip
       title={
         renderHtml ? (
-          <div dangerouslySetInnerHTML={{ __html: content as string }} />
+          <div
+            dangerouslySetInnerHTML={{
+              __html: DOMPurify.sanitize(content as string),
+            }}
+          />
         ) : (
           content ?? <></>
         )

packages/libs/coreui/src/components/Mesa/Templates.jsx

@@ -1,4 +1,5 @@
 import React from 'react';
+import DOMPurify from 'dompurify';
 
 import { OptionsDefaults } from './Defaults';
 import OverScroll from './Components/OverScroll';
@@ -35,7 +36,9 @@ const Templates = {
     let { displayText, url } = value;
     let href = url ? url : '#';
     let text = displayText.length ? value.displayText : href;
-    text = <div dangerouslySetInnerHTML={{ __html: text }} />;
+    text = (
+      <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(text) }} />
+    );
     let target = '_blank';
 
     const props = { href, target, className };
@@ -59,7 +62,9 @@ const Templates = {
   htmlCell({ key, value, row, rowIndex, column }) {
     const { truncated } = column;
     const className = 'Cell HtmlCell Cell-' + key;
-    const content = <div dangerouslySetInnerHTML={{ __html: value }} />;
+    const content = (
+      <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(value) }} />
+    );
     const size = truncated === true ? '16em' : truncated;
 
     return truncated ? (

packages/libs/coreui/src/components/inputs/SelectTree/Utils.tsx

@@ -1,4 +1,5 @@
 import 'regenerator-runtime/runtime';
+import DOMPurify from 'dompurify';
 // Field types
 // -----------
 
@@ -384,13 +385,10 @@ export function safeHtml<P>(
   if (str.indexOf('<') === -1) {
     return <Component {...props}>{str}</Component>;
   }
-  // Use innerHTML to auto close tags
-  const container = document.createElement('div');
-  container.innerHTML = str;
   return (
     <Component
       {...props}
-      dangerouslySetInnerHTML={{ __html: container.innerHTML }}
+      dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(str) }}
     />
   );
 }

packages/libs/preferred-organisms/package.json

@@ -18,6 +18,7 @@
     "@veupathdb/coreui": "workspace:^",
     "@veupathdb/wdk-client": "workspace:^",
     "@veupathdb/web-common": "workspace:^",
+    "dompurify": "^3.4.7",
     "lodash": "^4.17.21",
     "recoil": "^0.7.7"
   },

packages/libs/preferred-organisms/src/lib/hooks/maxRecommendedGate.tsx

@@ -1,4 +1,5 @@
 import { useState, useCallback } from 'react';
+import DOMPurify from 'dompurify';
 import { Dialog } from '@veupathdb/wdk-client/lib/Components';
 import {
   FilledButton,
@@ -99,7 +100,11 @@ export function useMaxRecommendedGate(
       <div className="MaxRecommendedGate">
         <div className="MaxRecommendedGate--Message">
           {customMessage ? (
-            <div dangerouslySetInnerHTML={{ __html: customMessage }} />
+            <div
+              dangerouslySetInnerHTML={{
+                __html: DOMPurify.sanitize(customMessage),
+              }}
+            />
           ) : (
             defaultMessage
           )}

packages/libs/wdk-client/package.json

@@ -25,6 +25,7 @@
     "@veupathdb/components": "workspace:^",
     "@veupathdb/coreui": "workspace:^",
     "classnames": "^2.2.0",
+    "dompurify": "^3.4.7",
     "history": "^4.10.1",
     "json-stable-stringify": "^1.0.0",
     "localforage": "^1.5.0",

packages/libs/wdk-client/src/Utils/ComponentUtils.tsx

@@ -1,4 +1,5 @@
 import React, { useEffect } from 'react';
+import DOMPurify from 'dompurify';
 import { AttributeValue } from '../Utils/WdkModel';
 import { stripHTML } from './DomUtils';
 
@@ -267,13 +268,10 @@ export function safeHtml<P>(
   if (str.indexOf('<') === -1 && !isHtmlEntityFound) {
     return <Component {...props}>{str}</Component>;
   }
-  // Use innerHTML to auto close tags
-  let container = document.createElement('div');
-  container.innerHTML = str;
   return (
     <Component
       {...props}
-      dangerouslySetInnerHTML={{ __html: container.innerHTML }}
+      dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(str) }}
     />
   );
 }

packages/libs/wdk-client/src/Views/ResultTableSummaryView/AttributeCell.tsx

@@ -1,5 +1,6 @@
 import React, { useEffect, useLayoutEffect, useRef, useState } from 'react';
 import { isEqual, truncate } from 'lodash';
+import DOMPurify from 'dompurify';
 import { RecordInstance, AttributeField } from '../../Utils/WdkModel';
 import { safeHtml, wrappable } from '../../Utils/ComponentUtils';
 import { Tooltip } from '@veupathdb/coreui';
@@ -78,7 +79,7 @@ function AttributeCellInner({ attribute, recordInstance }: AttributeCellProps) {
       <a
         href={url}
         dangerouslySetInnerHTML={{
-          __html: truncatedDisplay,
+          __html: DOMPurify.sanitize(truncatedDisplay),
         }}
       />
     </div>

packages/libs/web-common/package.json

@@ -37,6 +37,7 @@
     "@veupathdb/eda": "workspace:^",
     "@veupathdb/wdk-client": "workspace:^",
     "custom-event-polyfill": "^1.0.7",
+    "dompurify": "^3.4.7",
     "md5": "^2.3.0",
     "pluralize": "^8.0.0",
     "whatwg-fetch": "^3.5.0"