From 246d19b76e2967109a78bc3150893d7fc9179775 Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Fri, 17 Apr 2015 20:32:34 +0200
Subject: [PATCH] [WO-03-002] Fix Insecure Regex Usage on DOMPurify Sanitizer
 Output (Medium)

---
 .jshintrc                             |  3 ++-
 package.json                          |  4 ++--
 src/js/controller/app/read-sandbox.js | 23 ++++++++++++++---------
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/.jshintrc b/.jshintrc
index bdd691d..6f0b487 100644
--- a/.jshintrc
+++ b/.jshintrc
@@ -46,7 +46,8 @@
         "Lawnchair",
         "_",
         "openpgp",
-        "PhoneNumber"
+        "PhoneNumber",
+        "DOMPurify"
     ],
 
     "globals": {}
diff --git a/package.json b/package.json
index fbf0b68..9d5f0ca 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,7 @@
     "browsersmtp": "https://github.com/whiteout-io/browsersmtp/tarball/master",
     "chai": "~1.9.2",
     "crypto-lib": "~0.2.1",
-    "dompurify": "~0.4.2",
+    "dompurify": "~0.6.3",
     "grunt": "~0.4.1",
     "grunt-angular-templates": "~0.5.7",
     "grunt-autoprefixer": "~0.7.2",
@@ -78,4 +78,4 @@
     "assemble": "~0.4.42",
     "handlebars-helper-compose": "~0.2.12"
   }
-}
+}
\ No newline at end of file
diff --git a/src/js/controller/app/read-sandbox.js b/src/js/controller/app/read-sandbox.js
index 54c5d32..664abd6 100644
--- a/src/js/controller/app/read-sandbox.js
+++ b/src/js/controller/app/read-sandbox.js
@@ -1,5 +1,13 @@
 'use strict';
 
+// add DOMPurify hook to sanitze attributes
+DOMPurify.addHook('afterSanitizeAttributes', function(node) {
+    // open all links in a new window
+    if ('target' in node) {
+        node.setAttribute('target', '_blank');
+    }
+});
+
 // set listener for event from main window
 window.onmessage = function(e) {
     var html = '';
@@ -13,19 +21,16 @@ window.onmessage = function(e) {
     }
 
     // sanitize HTML content: https://github.com/cure53/DOMPurify
-    html = window.DOMPurify.sanitize(html);
-    // make links open in a new window
-    html = html.replace(/<a /g, '<a target="_blank" ');
-
-    // remove sources where necessary
     if (e.data.removeImages) {
-        html = html.replace(/(<img[^>]+\b)src=['"][^'">]+['"]/ig, function(match, prefix) {
-            return prefix;
+        // remove http leaks
+        document.body.innerHTML = DOMPurify.sanitize(html, {
+            FORBID_TAGS: ['style', 'svg', 'audio', 'video'],
+            FORBID_ATTR: ['src']
         });
+    } else {
+        document.body.innerHTML = DOMPurify.sanitize(html);
     }
 
-    document.body.innerHTML = html;
-
     attachClickHandlers();
 };