Merge pull request #321 from whiteout-io/audit/WO-03-002

[WO-03-002] Fix Insecure Regex Usage on DOMPurify Sanitizer Output (Medi...

.jshintrc

@@ -46,7 +46,8 @@
         "Lawnchair",
         "_",
         "openpgp",
-        "PhoneNumber"
+        "PhoneNumber",
+        "DOMPurify"
     ],
 
     "globals": {}

package.json

@@ -39,7 +39,7 @@
     "browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
     "chai": "~1.9.2",
     "crypto-lib": "~0.2.1",
-    "dompurify": "~0.4.2",
+    "dompurify": "~0.6.3",
     "grunt": "~0.4.1",
     "grunt-angular-templates": "~0.5.7",
     "grunt-autoprefixer": "~0.7.2",
@@ -78,4 +78,4 @@
     "assemble": "~0.4.42",
     "handlebars-helper-compose": "~0.2.12"
   }
-}
+}

src/js/controller/app/read-sandbox.js

@@ -1,5 +1,13 @@
 'use strict';
 
+// add DOMPurify hook to sanitze attributes
+DOMPurify.addHook('afterSanitizeAttributes', function(node) {
+    // open all links in a new window
+    if ('target' in node) {
+        node.setAttribute('target', '_blank');
+    }
+});
+
 // set listener for event from main window
 window.onmessage = function(e) {
     var html = '';
@@ -13,19 +21,16 @@ window.onmessage = function(e) {
     }
 
     // sanitize HTML content: https://github.com/cure53/DOMPurify
-    html = window.DOMPurify.sanitize(html);
-    // make links open in a new window
-    html = html.replace(/<a /g, '<a target="_blank" ');
-
-    // remove sources where necessary
     if (e.data.removeImages) {
-        html = html.replace(/(<img[^>]+\b)src=['"][^'">]+['"]/ig, function(match, prefix) {
-            return prefix;
+        // remove http leaks
+        document.body.innerHTML = DOMPurify.sanitize(html, {
+            FORBID_TAGS: ['style', 'svg', 'audio', 'video'],
+            FORBID_ATTR: ['src']
         });
+    } else {
+        document.body.innerHTML = DOMPurify.sanitize(html);
     }
 
-    document.body.innerHTML = html;
-
     attachClickHandlers();
 };