Merge pull request silverstripe#9 from silverstripe-security/pulls/1.…

…3/xss-hollywood

CVE-2019-14272 Sanitise link text for insert modals

client/src/legacy/TinyMCE_sslink.js

@@ -3,6 +3,7 @@ import TinyMCEActionRegistrar from 'lib/TinyMCEActionRegistrar';
 import ReactDOM from 'react-dom';
 import jQuery from 'jquery';
 import { setupTinyMceInlineToolbar } from 'components/TinymceInlineToolbar/TinymceInlineToolbar';
+import { createHTMLSanitiser } from 'lib/ShortcodeSerialiser';
 import i18n from 'i18n';
 
 const plugin = {
@@ -95,7 +96,7 @@ jQuery.entwine('ss', ($) => {
       /* noop */
     },
 
-    /**
+  /**
      * Default behaviour, recommended to overload this and sanitise where needed
      *
      * @param data
@@ -107,8 +108,9 @@ jQuery.entwine('ss', ($) => {
       editor.selection.moveToBookmark(this.getBookmark());
 
       const attributes = this.buildAttributes(data);
-
-      this.insertLinkInEditor(attributes, data.Text);
+      const sanitise = createHTMLSanitiser();
+      const linkText = sanitise(data.Text);
+      this.insertLinkInEditor(attributes, linkText);
       this.close();
 
       return Promise.resolve();

client/src/lib/ShortcodeSerialiser.js

@@ -133,4 +133,26 @@ const ShortcodeSerialiser = {
   },
 };
 
+const createHTMLSanitiser = () => {
+  const div = document.createElement('div');
+  return (str) => {
+    div.textContent = str;
+
+    return div.innerHTML;
+  };
+};
+
+const sanitiseShortCodeProperties = (rawProperties) => {
+  const sanitise = createHTMLSanitiser();
+  return Object.entries(rawProperties).reduce((props, [name, value]) => ({
+      ...props,
+      [name]: sanitise(value)
+  }), {});
+};
+
+export {
+  sanitiseShortCodeProperties,
+  createHTMLSanitiser,
+};
+
 export default ShortcodeSerialiser;