From 6a047a045a54d77bc36f7cbc70d761e5f16d5755 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 13 Jan 2017 18:30:43 +0100
Subject: Apply DOMPurify over HTML

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 settings/js/apps.js         | 4 ++--
 settings/templates/apps.php | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

(limited to 'settings')

diff --git a/settings/js/apps.js b/settings/js/apps.js
index a527b354e68..65a05116557 100644
--- a/settings/js/apps.js
+++ b/settings/js/apps.js
@@ -189,7 +189,7 @@ OC.Settings.Apps = OC.Settings.Apps || {
 		}
 
 		// Parse markdown in app description
-		app.description = marked(app.description.trim(), OC.Settings.Apps.markedOptions);
+		app.description = DOMPurify.sanitize(marked(app.description.trim(), OC.Settings.Apps.markedOptions));
 
 		var html = template(app);
 		if (selector) {
@@ -653,7 +653,7 @@ OC.Settings.Apps = OC.Settings.Apps || {
 				return '';
 			}
 
-			var out = '<a href="' + href + '"';
+			var out = '<a href="' + href + '" rel="noreferrer noopener"';
 			if (title) {
 				out += ' title="' + title + '"';
 			}
diff --git a/settings/templates/apps.php b/settings/templates/apps.php
index bd1d4a2ba77..b609777e03b 100644
--- a/settings/templates/apps.php
+++ b/settings/templates/apps.php
@@ -5,6 +5,7 @@ vendor_script(
 	[
 		'handlebars/handlebars',
 		'marked/marked.min',
+		'DOMPurify/dist/purify.min',
 	]
 );
 script(
-- 
cgit v1.2.3