From fc915e3337f55b320817bb7ab99035fb32791fdf Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 13 Nov 2018 14:14:14 +0100
Subject: [PATCH 1/4] Use DiffMarked in messenger to avoid duplicate code

---
 www/common/diffMarked.js     |  4 ++--
 www/contacts/messenger-ui.js | 18 ++++++++----------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/www/common/diffMarked.js b/www/common/diffMarked.js
index fb59f6262..891020ba5 100644
--- a/www/common/diffMarked.js
+++ b/www/common/diffMarked.js
@@ -101,8 +101,8 @@ define([
         'IFRAME',
         'OBJECT',
         'APPLET',
-        //'VIDEO', // privacy implications of videos are the same as images
-        //'AUDIO', // same with audio
+        'VIDEO', // privacy implications of videos are the same as images
+        'AUDIO', // same with audio
     ];
     var unsafeTag = function (info) {
         /*if (info.node && $(info.node).parents('media-tag').length) {
diff --git a/www/contacts/messenger-ui.js b/www/contacts/messenger-ui.js
index dfb77b09b..d90509676 100644
--- a/www/contacts/messenger-ui.js
+++ b/www/contacts/messenger-ui.js
@@ -4,9 +4,8 @@ define([
     '/common/common-util.js',
     '/common/common-interface.js',
     '/common/hyperscript.js',
-    '/bower_components/marked/marked.min.js',
-    '/common/media-tag.js',
-], function ($, Messages, Util, UI, h, Marked, MediaTag) {
+    '/common/diffMarked.js',
+], function ($, Messages, Util, UI, h, DiffMd) {
     'use strict';
 
     var debug = console.log;
@@ -138,12 +137,14 @@ define([
         $(window).on('resize', onResize);
 
         var m = function (md, hour) {
-            var d = h('div.cp-app-contacts-content');
+            var id = Util.createRandomInteger();
+            var d = h('div', {
+                id: 'msg-'+id
+            });
             try {
-                d.innerHTML = Marked(md || '');
                 var $d = $(d);
-                // remove potentially malicious elements
-                $d.find('script, iframe, object, applet, video, audio').remove();
+                DiffMd.apply(DiffMd.render(md || ''), $d, common);
+                $d.addClass("cp-app-contacts-content");
 
                 // override link clicking, because we're in an iframe
                 $d.find('a').each(function () {
@@ -153,9 +154,6 @@ define([
                     }).attr('href');
                 });
 
-                // activate media-tags
-                $d.find('media-tag').each(function (i, e) { MediaTag(e); });
-
                 var time = h('div.cp-app-contacts-time', hour);
                 $d.append(time);
             } catch (e) {

From 04decacaca47205fa3a55a86369be230732b1d0a Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 13 Nov 2018 14:18:09 +0100
Subject: [PATCH 2/4] Forbid JavaScript in links to the bounce app

---
 www/bounce/main.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/www/bounce/main.js b/www/bounce/main.js
index edb4f029c..6d631089f 100644
--- a/www/bounce/main.js
+++ b/www/bounce/main.js
@@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
         window.alert('The bounce application must only be used with a valid href to visit');
         return;
     }
+    if (bounceTo.indexOf('javascript:') === 0 ||
+        bounceTo.indexOf('vbscript:') === 0 ||
+        bounceTo.indexOf('data:') === 0) {
+        window.alert('Illegal bounce URL');
+        return;
+    }
     window.opener = null;
     window.location.href = bounceTo;
 });

From 3a4cfbb7e8576f3582c106b90cf509ff5661d634 Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 13 Nov 2018 17:19:28 +0100
Subject: [PATCH 3/4] Disable HTML in chat

---
 www/common/diffMarked.js     | 16 +++++++++++-----
 www/contacts/messenger-ui.js |  2 +-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/www/common/diffMarked.js b/www/common/diffMarked.js
index 891020ba5..467dfa3e6 100644
--- a/www/common/diffMarked.js
+++ b/www/common/diffMarked.js
@@ -28,12 +28,17 @@ define([
     };
 
     Marked.setOptions({
+        //sanitize: true, // Disable HTML
         renderer: renderer,
         highlight: highlighter(),
     });
 
-    DiffMd.render = function (md) {
-        return Marked(md);
+
+
+    DiffMd.render = function (md, sanitize) {
+        return Marked(md, {
+            sanitize: sanitize
+        });
     };
 
     var mediaMap = {};
@@ -103,6 +108,7 @@ define([
         'APPLET',
         'VIDEO', // privacy implications of videos are the same as images
         'AUDIO', // same with audio
+        'SVG'
     ];
     var unsafeTag = function (info) {
         /*if (info.node && $(info.node).parents('media-tag').length) {
@@ -117,10 +123,10 @@ define([
         }
         if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) {
             var msg = "Rejecting forbidden tag of type (%s)";
-            if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName) !== -1) {
+            if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName.toUpperCase()) !== -1) {
                 console.log(msg, info.diff.element.nodeName);
                 return true;
-            } else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName) !== -1) {
+            } else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName.toUpperCase()) !== -1) {
                 console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName);
                 info.diff.newValue.nodeName = 'PRE';
             }
@@ -142,7 +148,7 @@ define([
 
     var removeForbiddenTags = function (root) {
         if (!root) { return; }
-        if (forbiddenTags.indexOf(root.nodeName) !== -1) { removeNode(root); }
+        if (forbiddenTags.indexOf(root.nodeName.toUpperCase()) !== -1) { removeNode(root); }
         slice(root.children).forEach(removeForbiddenTags);
     };
 
diff --git a/www/contacts/messenger-ui.js b/www/contacts/messenger-ui.js
index d90509676..b4e546a34 100644
--- a/www/contacts/messenger-ui.js
+++ b/www/contacts/messenger-ui.js
@@ -143,7 +143,7 @@ define([
             });
             try {
                 var $d = $(d);
-                DiffMd.apply(DiffMd.render(md || ''), $d, common);
+                DiffMd.apply(DiffMd.render(md || '', true), $d, common);
                 $d.addClass("cp-app-contacts-content");
 
                 // override link clicking, because we're in an iframe

From ab35d6b778c1e48a2b35596db1bba9b616cdee8c Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 13 Nov 2018 17:22:34 +0100
Subject: [PATCH 4/4] lint compliance

---
 www/bounce/main.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/bounce/main.js b/www/bounce/main.js
index 6d631089f..ddb23d983 100644
--- a/www/bounce/main.js
+++ b/www/bounce/main.js
@@ -9,8 +9,8 @@ define(['/api/config'], function (ApiConfig) {
         window.alert('The bounce application must only be used with a valid href to visit');
         return;
     }
-    if (bounceTo.indexOf('javascript:') === 0 ||
-        bounceTo.indexOf('vbscript:') === 0 ||
+    if (bounceTo.indexOf('javascript:') === 0 || // jshint ignore:line
+        bounceTo.indexOf('vbscript:') === 0 || // jshint ignore:line
         bounceTo.indexOf('data:') === 0) {
         window.alert('Illegal bounce URL');
         return;