markdown: encode bad nodes HTML instead of pruning it

As pruning means content an user wrote into the box, even if with
malicious intend, gets hidden and that can be quite confusing..

So rather get the outerHTML, transform it with ExtJS's htmlEncode and
set it again.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/Parser.js b/src/Parser.js
index 17d176cd79eea52f580245cbb9bd6a221e0a44b6..c92126feb1bba10fcdaa5ed78ca179bdbffb4c8c 100644 (file)
--- a/src/Parser.js
+++ b/src/Parser.js
@@ -3,7 +3,7 @@ Ext.define('Proxmox.Markdown', {
     alternateClassName: 'Px.Markdown', // just trying out something, do NOT copy this line
     singleton: true,
 
-    // transforms HTML to a DOM tree and recursively descends and prunes every branch with a
+    // transforms HTML to a DOM tree and recursively descends and HTML-encodes every branch with a
     // "bad" node.type and drops "bad" attributes from the remaining nodes.
     // "bad" means anything which can do XSS or break the layout of the outer page
     sanitizeHTML: function(input) {
@@ -14,7 +14,8 @@ Ext.define('Proxmox.Markdown', {
        _sanitize = (node) => {
            if (node.nodeType === 3) return;
            if (node.nodeType !== 1 || /^(script|iframe|object|embed|svg)$/i.test(node.tagName)) {
-               node.remove();
+               // could do node.remove() instead, but it's nicer UX if we keep the (encoded!) html
+               node.outerHTML = Ext.String.htmlEncode(node.outerHTML);
                return;
            }
            for (let i=node.attributes.length; i--;) {