Applies DOMSanitize.sanitize to innerHTML write

This commit sanitizes the text applied to innerHTML of the linkNode attribute on OpenUriCommandHandler. This is an attempt to limit the xss sink surface in Theia. If there is no reason to do so or this breaks some intended behavior please leave a comment indicating so. Change-Id: Ibee9829b3a44f87d15c9d46b9bc342332e5ccf08 Signed-off-by: Luke Wood <[email protected]>
eclipse-theia · Oct 29, 2020 · fb3694b · fb3694b
1 parent 6fe570d
commit fb3694b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/packages/plugin-ext/package.json b/packages/plugin-ext/package.json
@@ -25,10 +25,12 @@
     "@theia/timeline": "^1.6.0",
     "@theia/workspace": "^1.6.0",
     "@types/connect": "^3.4.32",
+    "@types/dompurify": "^2.0.2",
     "@types/mime": "^2.0.1",
     "@types/serve-static": "^1.13.3",
     "connect": "^3.7.0",
     "decompress": "^4.2.1",
+    "dompurify": "^2.0.11",
     "escape-html": "^1.0.3",
     "filenamify": "^4.1.0",
     "jsonc-parser": "^2.2.0",

diff --git a/packages/plugin-ext/src/main/browser/commands.ts b/packages/plugin-ext/src/main/browser/commands.ts
@@ -19,6 +19,7 @@ import URI from '@theia/core/lib/common/uri';
 import { Command, CommandService } from '@theia/core/lib/common/command';
 import { AbstractDialog } from '@theia/core/lib/browser';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
+import * as DOMPurify from 'dompurify';
 
 @injectable()
 export class OpenUriCommandHandler {
@@ -90,7 +91,7 @@ class OpenNewTabDialog extends AbstractDialog<string> {
     showOpenNewTabDialog(uri: string): void {
         this.value = uri;
 
-        this.linkNode.innerHTML = uri;
+        this.linkNode.innerHTML = DOMPurify.sanitize(uri);
         this.linkNode.href = uri;
         this.openButton.onclick = () => {
             this.windowService.openNewWindow(uri);