From 575264fb4fcbc4530c43bd24b8713a593d89dfdd Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Sat, 19 Aug 2017 11:00:39 -0600
Subject: [PATCH] Add sanitize-html for content displayed via
 dangerouslySetInnerHtml

---
 package.json                                  |  1 +
 .../DetailsSection/PhonologyDisplay.jsx       |  3 +-
 .../DetailsSection/index.jsx                  |  4 +-
 .../display/DictionaryDetails/index.jsx       |  5 +-
 yarn.lock                                     | 55 +++++++++++++++++++
 5 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index 1d0aeb6..01b34ce 100644
--- a/package.json
+++ b/package.json
@@ -48,6 +48,7 @@
     "inferno-devtools": "^3.6.1",
     "marked": "^0.3.6",
     "papaparse": "^4.3.3",
+    "sanitize-html": "^1.14.1",
     "store": "^2.0.12"
   }
 }
diff --git a/src/components/display/DictionaryDetails/DetailsSection/PhonologyDisplay.jsx b/src/components/display/DictionaryDetails/DetailsSection/PhonologyDisplay.jsx
index 6e0e4ea..b6cff4a 100644
--- a/src/components/display/DictionaryDetails/DetailsSection/PhonologyDisplay.jsx
+++ b/src/components/display/DictionaryDetails/DetailsSection/PhonologyDisplay.jsx
@@ -1,6 +1,7 @@
 import Inferno from 'inferno';
 import Component from 'inferno-component';
 import marked from 'marked';
+import sanitizeHtml from 'sanitize-html';
 
 export const PhonologyDisplay = ({ phonologyContent }) => {
   return (
@@ -128,7 +129,7 @@ export const PhonologyDisplay = ({ phonologyContent }) => {
                     <strong>Exceptions:</strong>
                     <div className="content"
                       dangerouslySetInnerHTML={{
-                        __html: marked(phonologyContent.phonotactics.exceptions),
+                        __html: marked(sanitizeHtml(phonologyContent.phonotactics.exceptions)),
                       }} />
                   </div>
                 </div>
diff --git a/src/components/display/DictionaryDetails/DetailsSection/index.jsx b/src/components/display/DictionaryDetails/DetailsSection/index.jsx
index 281bece..e50c34f 100644
--- a/src/components/display/DictionaryDetails/DetailsSection/index.jsx
+++ b/src/components/display/DictionaryDetails/DetailsSection/index.jsx
@@ -1,6 +1,7 @@
 import Inferno from 'inferno';
 import Component from 'inferno-component';
 import marked from 'marked';
+import sanitizeHtml from 'sanitize-html';
 
 import { PhonologyDisplay } from './PhonologyDisplay';
 
@@ -48,10 +49,11 @@ export class DetailsSection extends Component {
         }
       }
     } else {
+      const sanitizedCustomTabContent = sanitizeHtml(details.custom[currentDisplay - defaultMenuLength].content);
       return (
         <div className='content'>
           <div dangerouslySetInnerHTML={{
-            __html: marked(details.custom[currentDisplay - defaultMenuLength].content),
+            __html: marked(sanitizedCustomTabContent),
           }} />
         </div>
       );
diff --git a/src/components/display/DictionaryDetails/index.jsx b/src/components/display/DictionaryDetails/index.jsx
index 5694770..c838f63 100644
--- a/src/components/display/DictionaryDetails/index.jsx
+++ b/src/components/display/DictionaryDetails/index.jsx
@@ -1,6 +1,7 @@
 import Inferno from 'inferno';
 import Component from 'inferno-component';
 import marked from 'marked';
+import sanitizeHtml from 'sanitize-html';
 
 import { EditDictionaryModal } from '../../management/EditDictionaryModal';
 import { DetailsSection } from './DetailsSection';
@@ -20,7 +21,7 @@ export class DictionaryDetails extends Component {
       currentDisplay: DISPLAY.NONE,
     }
 
-    this._descriptionHTML = marked(props.description);
+    this._descriptionHTML = marked(sanitizeHtml(props.description));
   }
 
   componentWillReceiveProps (nextProps) {
@@ -28,7 +29,7 @@ export class DictionaryDetails extends Component {
       nextDescription = nextProps.description;
 
     if (currentDescription !== nextDescription) {
-      this._descriptionHTML = marked(nextProps.description);
+      this._descriptionHTML = marked(sanitizeHtml(nextProps.description));
     }
   }
 
diff --git a/yarn.lock b/yarn.lock
index 0419e91..a579b52 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1091,10 +1091,38 @@ dns-txt@^2.0.2:
   dependencies:
     buffer-indexof "^1.0.0"
 
+dom-serializer@0:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/dom-serializer/-/dom-serializer-0.1.0.tgz#073c697546ce0780ce23be4a28e293e40bc30c82"
+  dependencies:
+    domelementtype "~1.1.1"
+    entities "~1.1.1"
+
 domain-browser@^1.1.1:
   version "1.1.7"
   resolved "https://registry.yarnpkg.com/domain-browser/-/domain-browser-1.1.7.tgz#867aa4b093faa05f1de08c06f4d7b21fdf8698bc"
 
+domelementtype@1, domelementtype@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.3.0.tgz#b17aed82e8ab59e52dd9c19b1756e0fc187204c2"
+
+domelementtype@~1.1.1:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.1.3.tgz#bd28773e2642881aec51544924299c5cd822185b"
+
+domhandler@^2.3.0:
+  version "2.4.1"
+  resolved "https://registry.yarnpkg.com/domhandler/-/domhandler-2.4.1.tgz#892e47000a99be55bbf3774ffea0561d8879c259"
+  dependencies:
+    domelementtype "1"
+
+domutils@^1.5.1:
+  version "1.6.2"
+  resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.6.2.tgz#1958cc0b4c9426e9ed367fb1c8e854891b0fa3ff"
+  dependencies:
+    dom-serializer "0"
+    domelementtype "1"
+
 ecc-jsbn@~0.1.1:
   version "0.1.1"
   resolved "https://registry.yarnpkg.com/ecc-jsbn/-/ecc-jsbn-0.1.1.tgz#0fc73a9ed5f0d53c38193398523ef7e543777505"
@@ -1138,6 +1166,10 @@ enhanced-resolve@^3.0.0:
     object-assign "^4.0.1"
     tapable "^0.2.5"
 
+entities@^1.1.1, entities@~1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/entities/-/entities-1.1.1.tgz#6e5c2d0a5621b5dadaecef80b90edfb5cd7772f0"
+
 errno@^0.1.3:
   version "0.1.4"
   resolved "https://registry.yarnpkg.com/errno/-/errno-0.1.4.tgz#b896e23a9e5e8ba33871fc996abd3635fc9a1c7d"
@@ -1745,6 +1777,17 @@ html-minifier@^3.0.1:
     relateurl "0.2.x"
     uglify-js "~2.8.22"
 
+htmlparser2@^3.9.0:
+  version "3.9.2"
+  resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-3.9.2.tgz#1bdf87acca0f3f9e53fa4fcceb0f4b4cbb00b338"
+  dependencies:
+    domelementtype "^1.3.0"
+    domhandler "^2.3.0"
+    domutils "^1.5.1"
+    entities "^1.1.1"
+    inherits "^2.0.1"
+    readable-stream "^2.0.2"
+
 http-deceiver@^1.2.7:
   version "1.2.7"
   resolved "https://registry.yarnpkg.com/http-deceiver/-/http-deceiver-1.2.7.tgz#fa7168944ab9a519d337cb0bec7284dc3e723d87"
@@ -3240,6 +3283,10 @@ regex-cache@^0.4.2:
     is-equal-shallow "^0.1.3"
     is-primitive "^2.0.0"
 
+regexp-quote@0.0.0:
+  version "0.0.0"
+  resolved "https://registry.yarnpkg.com/regexp-quote/-/regexp-quote-0.0.0.tgz#1e0f4650c862dcbfed54fd42b148e9bb1721fcf2"
+
 regexpu-core@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/regexpu-core/-/regexpu-core-1.0.0.tgz#86a763f58ee4d7c2f6b102e4764050de7ed90c6b"
@@ -3343,6 +3390,14 @@ safe-buffer@^5.0.1:
   version "5.0.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.0.1.tgz#d263ca54696cd8a306b5ca6551e92de57918fbe7"
 
+sanitize-html@^1.14.1:
+  version "1.14.1"
+  resolved "https://registry.yarnpkg.com/sanitize-html/-/sanitize-html-1.14.1.tgz#730ffa2249bdf18333effe45b286173c9c5ad0b8"
+  dependencies:
+    htmlparser2 "^3.9.0"
+    regexp-quote "0.0.0"
+    xtend "^4.0.0"
+
 sass-graph@^2.1.1:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/sass-graph/-/sass-graph-2.1.2.tgz#965104be23e8103cb7e5f710df65935b317da57b"