Merge pull request #1359 from 3clyp50/pluginreadme

fix plugin README image rebasing and sanitize rendered markdown

Author: nicolasleao

plugins/_plugin_installer/webui/pluginInstallStore.js

@@ -1,8 +1,7 @@
 import { createStore } from "/js/AlpineStore.js";
 import * as api from "/js/api.js";
-import { addBlankTargetsToLinks } from "/js/messages.js";
 import { openModal } from "/js/modals.js";
-import { marked } from "/vendor/marked/marked.esm.js";
+import { renderSafeMarkdown } from "/js/safe-markdown.js";
 import { toastFrontendSuccess, toastFrontendError } from "/components/notifications/notification-store.js";
 import { showConfirmDialog } from "/js/confirmDialog.js";
 import { store as imageViewerStore } from "/components/modals/image-viewer/image-viewer-store.js";
@@ -80,52 +79,6 @@ const model = {
     return url.replace("https://github.com/", "https://raw.githubusercontent.com/");
   },
 
-  _rebaseReadmeLinks(html, githubUrl, branch) {
-    if (!html || typeof html !== "string" || !githubUrl || !branch) return html;
-
-    let repoUrl;
-    try {
-      repoUrl = new URL(githubUrl.trim().replace(/\.git$/i, ""));
-    } catch {
-      return html;
-    }
-
-    if (repoUrl.hostname !== "github.com") return html;
-
-    const [owner, repo] = repoUrl.pathname
-      .replace(/^\/+|\/+$/g, "")
-      .split("/");
-    if (!owner || !repo) return html;
-
-    const repoBlobBase = `https://github.com/${owner}/${repo}/blob/${branch}`;
-    const doc = new DOMParser().parseFromString(html, "text/html");
-
-    doc.querySelectorAll("a[href]").forEach((anchor) => {
-      const href = (anchor.getAttribute("href") || "").trim();
-      if (
-        !href ||
-        href.startsWith("#") ||
-        href.startsWith("//") ||
-        /^[a-zA-Z][a-zA-Z\d+.-]*:/.test(href)
-      ) {
-        return;
-      }
-
-      try {
-        const resolved = new URL(href, "https://repo-root.invalid/");
-        const repoPath = resolved.pathname.replace(/^\/+/, "");
-        anchor.setAttribute(
-          "href",
-          `${repoBlobBase}/${repoPath}${resolved.search}${resolved.hash}`,
-        );
-      } catch {
-        // Leave malformed links unchanged.
-      }
-    });
-
-    return doc.body.innerHTML;
-  },
-
   _pluginPrimaryTag(plugin) {
     const tags = Array.isArray(plugin?.tags) ? plugin.tags.filter(Boolean) : [];
     return tags[0] || "";
@@ -551,9 +504,10 @@ const model = {
           if (!response.ok) continue;
 
           const readme = await response.text();
-          let html = marked.parse(readme, { breaks: true });
-          html = this._rebaseReadmeLinks(html, plugin?.github, branch);
-          this.readmeContent = addBlankTargetsToLinks(html);
+          this.readmeContent = renderSafeMarkdown(readme, {
+            githubUrl: plugin?.github,
+            branch,
+          });
           return;
         } catch (error) {
           lastError = error;

webui/components/modals/markdown/markdown-store.js

@@ -1,5 +1,5 @@
-import { marked } from "/vendor/marked/marked.esm.js";
 import { createStore } from "/js/AlpineStore.js";
+import { renderSafeMarkdown } from "/js/safe-markdown.js";
 
 export const store = createStore("markdownModal", {
     title: "",
@@ -14,7 +14,7 @@ export const store = createStore("markdownModal", {
 
     get renderedHtml() {
         if (!this.content) return "";
-        return marked.parse(this.content, { breaks: true });
+        return renderSafeMarkdown(this.content);
     },
 
     cleanup() {

webui/components/plugins/list/pluginListStore.js

@@ -1,7 +1,6 @@
 import { createStore } from "/js/AlpineStore.js";
 import * as api from "/js/api.js";
-import { marked } from "/vendor/marked/marked.esm.js";
-import { addBlankTargetsToLinks } from "/js/messages.js";
+import { renderSafeMarkdown } from "/js/safe-markdown.js";
 import { store as pluginSettingsStore } from "/components/plugins/plugin-settings-store.js";
 import { store as pluginToggleStore } from "/components/plugins/toggle/plugin-toggle-store.js";
 import { store as pluginExecuteStore } from "/components/plugins/list/plugin-execute-store.js";
@@ -167,8 +166,7 @@ const model = {
         doc: "readme",
       });
       if (response?.error) throw new Error(response.error);
-      const html = marked.parse(response.content || "", { breaks: true });
-      this.readmeContent = addBlankTargetsToLinks(html);
+      this.readmeContent = renderSafeMarkdown(response.content || "");
     } catch (e) {
       const error = e instanceof Error ? e : new Error(String(e));
       this.readmeError = error.message || "Failed to load README";

webui/js/html-links.js

@@ -0,0 +1,27 @@
+export function addBlankTargetsToLinks(str) {
+  const doc = new DOMParser().parseFromString(str, "text/html");
+
+  doc.querySelectorAll("a").forEach((anchor) => {
+    const href = anchor.getAttribute("href") || "";
+    if (
+      href.startsWith("#") ||
+      href.trim().toLowerCase().startsWith("javascript")
+    ) {
+      return;
+    }
+
+    if (
+      !anchor.hasAttribute("target") ||
+      anchor.getAttribute("target") === ""
+    ) {
+      anchor.setAttribute("target", "_blank");
+    }
+
+    const rel = (anchor.getAttribute("rel") || "").split(/\s+/).filter(Boolean);
+    if (!rel.includes("noopener")) rel.push("noopener");
+    if (!rel.includes("noreferrer")) rel.push("noreferrer");
+    anchor.setAttribute("rel", rel.join(" "));
+  });
+
+  return doc.body.innerHTML;
+}

webui/js/messages.js

@@ -13,6 +13,7 @@ import { store as preferencesStore } from "/components/sidebar/bottom/preference
 import { formatDuration } from "./time-utils.js";
 import { Scroller } from "./scroller.js";
 import { callJsExtensions } from "/js/extensions.js";
+import { addBlankTargetsToLinks } from "/js/html-links.js";
 
 // Delay before collapsing previous steps when a new step is added
 const STEP_COLLAPSE_DELAY = {
@@ -762,30 +763,7 @@ export function _drawMessage({
   return messageDiv;
 }
 
-export function addBlankTargetsToLinks(str) {
-  const doc = new DOMParser().parseFromString(str, "text/html");
-
-  doc.querySelectorAll("a").forEach((anchor) => {
-    const href = anchor.getAttribute("href") || "";
-    if (
-      href.startsWith("#") ||
-      href.trim().toLowerCase().startsWith("javascript")
-    )
-      return;
-    if (
-      !anchor.hasAttribute("target") ||
-      anchor.getAttribute("target") === ""
-    ) {
-      anchor.setAttribute("target", "_blank");
-    }
-
-    const rel = (anchor.getAttribute("rel") || "").split(/\s+/).filter(Boolean);
-    if (!rel.includes("noopener")) rel.push("noopener");
-    if (!rel.includes("noreferrer")) rel.push("noreferrer");
-    anchor.setAttribute("rel", rel.join(" "));
-  });
-  return doc.body.innerHTML;
-}
+export { addBlankTargetsToLinks };
 
 /**
  * @param {MessageHandlerArgs & Record<string, any>} param0

webui/js/safe-markdown.js

@@ -0,0 +1,182 @@
+import DOMPurify from "/vendor/dompurify/purify.es.mjs";
+import { marked } from "/vendor/marked/marked.esm.js";
+import { addBlankTargetsToLinks } from "/js/html-links.js";
+
+const GITHUB_REPO_ROUTE_PREFIXES = new Set([
+  "actions",
+  "blob",
+  "branches",
+  "commit",
+  "commits",
+  "compare",
+  "discussions",
+  "issues",
+  "labels",
+  "milestones",
+  "packages",
+  "projects",
+  "pulls",
+  "raw",
+  "releases",
+  "security",
+  "tags",
+  "tree",
+  "wiki",
+]);
+
+const DOMPURIFY_CONFIG = Object.freeze({
+  USE_PROFILES: { html: true },
+  FORBID_TAGS: ["script", "iframe", "object", "embed", "svg", "math"],
+});
+
+function parseGithubRepoContext(githubUrl) {
+  if (!githubUrl || typeof githubUrl !== "string") return null;
+
+  let repoUrl;
+  try {
+    repoUrl = new URL(githubUrl.trim().replace(/\.git$/i, ""));
+  } catch {
+    return null;
+  }
+
+  if (repoUrl.hostname !== "github.com") return null;
+
+  const [owner, repo] = repoUrl.pathname
+    .replace(/^\/+|\/+$/g, "")
+    .split("/");
+  if (!owner || !repo) return null;
+
+  return { owner, repo };
+}
+
+function shouldSkipRebase(value) {
+  return (
+    !value ||
+    value.startsWith("#") ||
+    value.startsWith("//") ||
+    /^[a-zA-Z][a-zA-Z\d+.-]*:/.test(value)
+  );
+}
+
+function resolveRepoPath(value) {
+  if (shouldSkipRebase(value)) return null;
+  try {
+    const resolved = new URL(value, "https://repo-root.invalid/");
+    return `${resolved.pathname.replace(/^\/+/, "")}${resolved.search}${resolved.hash}`;
+  } catch {
+    return null;
+  }
+}
+
+function isGithubRepoRoutePath(repoPath) {
+  const pathOnly = repoPath
+    .split(/[?#]/, 1)[0]
+    .replace(/^\/+|\/+$/g, "");
+  if (!pathOnly) return false;
+  const firstSegment = pathOnly.split("/")[0].toLowerCase();
+  return GITHUB_REPO_ROUTE_PREFIXES.has(firstSegment);
+}
+
+function isSafeUrlValue(value, attributeName) {
+  const normalized = String(value || "").trim();
+  if (!normalized) return true;
+  if (
+    normalized.startsWith("#") ||
+    normalized.startsWith("/") ||
+    normalized.startsWith("./") ||
+    normalized.startsWith("../") ||
+    normalized.startsWith("?")
+  ) {
+    return true;
+  }
+
+  try {
+    const url = new URL(normalized, "https://sanitizer.invalid/");
+    if (url.origin === "https://sanitizer.invalid") {
+      return true;
+    }
+
+    const protocol = url.protocol.toLowerCase();
+    if (protocol === "http:" || protocol === "https:") return true;
+    if (attributeName === "href" && (protocol === "mailto:" || protocol === "tel:")) {
+      return true;
+    }
+  } catch {
+    return false;
+  }
+
+  return false;
+}
+
+function stripUnsafeUrlAttributes(html) {
+  const doc = new DOMParser().parseFromString(html, "text/html");
+
+  doc.querySelectorAll("[href], [src]").forEach((element) => {
+    for (const attributeName of ["href", "src"]) {
+      if (!element.hasAttribute(attributeName)) continue;
+      const value = element.getAttribute(attributeName) || "";
+      if (!isSafeUrlValue(value, attributeName)) {
+        element.removeAttribute(attributeName);
+      }
+    }
+  });
+
+  return doc.body.innerHTML;
+}
+
+export function sanitizeHtml(html) {
+  if (!html || typeof html !== "string") return "";
+  const sanitized = DOMPurify.sanitize(html, DOMPURIFY_CONFIG);
+  return stripUnsafeUrlAttributes(sanitized);
+}
+
+export function rebaseGithubReadmeHtml(html, githubUrl, branch) {
+  if (!html || typeof html !== "string" || !branch) return html;
+
+  const repoContext = parseGithubRepoContext(githubUrl);
+  if (!repoContext) return html;
+
+  const { owner, repo } = repoContext;
+  const repoWebBase = `https://github.com/${owner}/${repo}`;
+  const repoBlobBase = `${repoWebBase}/blob/${branch}`;
+  const repoRawBase = `https://raw.githubusercontent.com/${owner}/${repo}/${branch}`;
+  const doc = new DOMParser().parseFromString(html, "text/html");
+
+  // Single-segment links like "releases" are ambiguous, so README rebasing
+  // needs an explicit GitHub repo-route allowlist instead of a single base URL.
+  doc.querySelectorAll("a[href]").forEach((anchor) => {
+    const href = (anchor.getAttribute("href") || "").trim();
+    const repoPath = resolveRepoPath(href);
+    if (!repoPath) return;
+    const base = isGithubRepoRoutePath(repoPath) ? repoWebBase : repoBlobBase;
+    anchor.setAttribute("href", `${base}/${repoPath}`);
+  });
+
+  doc.querySelectorAll("img[src]").forEach((image) => {
+    const src = (image.getAttribute("src") || "").trim();
+    const repoPath = resolveRepoPath(src);
+    if (!repoPath) return;
+    image.setAttribute("src", `${repoRawBase}/${repoPath}`);
+  });
+
+  return doc.body.innerHTML;
+}
+
+export function renderSafeMarkdown(markdown, options = {}) {
+  if (!markdown) return "";
+
+  const { githubUrl = "", branch = "", openExternalLinksInNewTab = true } = options;
+
+  let html = marked.parse(markdown, { breaks: true });
+  if (githubUrl && branch) {
+    html = rebaseGithubReadmeHtml(html, githubUrl, branch);
+  }
+
+  html = sanitizeHtml(html);
+
+  if (openExternalLinksInNewTab) {
+    html = addBlankTargetsToLinks(html);
+  }
+
+  return html;
+}