fix(xss): address PR review feedback on purify config and escaping

Updates HTMLPurifier config to use HTML 5 doctype for consistency
with Html5Definition, adds URI.AllowedSchemes to block javascript:
and data: URLs in sanitized HTML, and extracts the inline DOM
escaping pattern into a named escapeHtml() method for readability.

Author: ardelato

config/purify.php

@@ -41,10 +41,15 @@
 
         'default' => [
             'Core.Encoding' => 'utf-8',
-            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Doctype' => 'HTML 5',
             'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,u,strong,i,em,s,del,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src],blockquote',
             'HTML.ForbiddenElements' => '',
             'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
+            'URI.AllowedSchemes' => [
+                'http' => true,
+                'https' => true,
+                'mailto' => true,
+            ],
             'AutoFormat.AutoParagraph' => false,
             'AutoFormat.RemoveEmpty' => false,
         ],

resources/js/components/GroupPage.vue

@@ -159,16 +159,20 @@ export default {
       haveLeft: false
     }
   },
+  methods: {
+    escapeHtml(str) {
+      const el = document.createElement('span')
+      el.textContent = str
+      return el.innerHTML
+    },
+  },
   computed: {
     group() {
       return this.$store.getters['groups/get'](this.idgroups)
     },
     translatedHaveLeft() {
-      const el = document.createElement('span')
-      el.textContent = this.group.name
-      const escapedName = el.innerHTML
       return this.$lang.get('groups.now_unfollowed', {
-        name: escapedName,
+        name: this.escapeHtml(this.group.name),
         link: '/group/view/' + this.group.id
       })
     }