From 71bc0913bd1a52d1f34e31815a53819a411fbd7e Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sun, 4 Jul 2021 19:22:38 +0200
Subject: [PATCH] markdown: encode bad nodes HTML instead of pruning it

As pruning means content an user wrote into the box, even if with
malicious intend, gets hidden and that can be quite confusing..

So rather get the outerHTML, transform it with ExtJS's htmlEncode and
set it again.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/Parser.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Parser.js b/src/Parser.js
index 17d176c..c92126f 100644
--- a/src/Parser.js
+++ b/src/Parser.js
@@ -3,7 +3,7 @@ Ext.define('Proxmox.Markdown', {
     alternateClassName: 'Px.Markdown', // just trying out something, do NOT copy this line
     singleton: true,
 
-    // transforms HTML to a DOM tree and recursively descends and prunes every branch with a
+    // transforms HTML to a DOM tree and recursively descends and HTML-encodes every branch with a
     // "bad" node.type and drops "bad" attributes from the remaining nodes.
     // "bad" means anything which can do XSS or break the layout of the outer page
     sanitizeHTML: function(input) {
@@ -14,7 +14,8 @@ Ext.define('Proxmox.Markdown', {
 	_sanitize = (node) => {
 	    if (node.nodeType === 3) return;
 	    if (node.nodeType !== 1 || /^(script|iframe|object|embed|svg)$/i.test(node.tagName)) {
-		node.remove();
+		// could do node.remove() instead, but it's nicer UX if we keep the (encoded!) html
+		node.outerHTML = Ext.String.htmlEncode(node.outerHTML);
 		return;
 	    }
 	    for (let i=node.attributes.length; i--;) {
-- 
2.39.2