make markdown slightly safer without the nohtml volflag

by running dompurify after marked.parse if plugins are not enabled; adds no protection against the more practical approach of just putting a malicious <script> in an html file and uploading that, but one footgun less is one less footgun
2025-08-17 17:12:13 -06:00 · 2023-08-26 17:37:02 +00:00 · 2023-08-26 17:37:02 +00:00 · 9f8edb7f32
parent c5a6ac8417
commit 9f8edb7f32
4 changed files with 17 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1599,6 +1599,7 @@ some notes on hardening
 * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy)
  * cors doesn't work right otherwise
 * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml`
+  * this returns html documents as plaintext, and also disables markdown rendering

 safety profiles:

--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@ -7123,7 +7123,12 @@ function show_md(md, name, div, url, depth) {

 	try {
 		clmod(div, 'mdo', 1);
-		if (sandbox(div, sb_md, 'mdo', marked.parse(md, marked_opts)))
+
+		var md_html = marked.parse(md, marked_opts);
+		if (!have_emp)
+			md_html = DOMPurify.sanitize(md_html);
+
+		if (sandbox(div, sb_md, 'mdo', md_html))
 			return;

 		ext = md_plug.post;
--- a/copyparty/web/md.js
+++ b/copyparty/web/md.js
@ -212,6 +212,8 @@ function convert_markdown(md_text, dest_dom) {

    try {
        var md_html = marked.parse(md_text, marked_opts);
+        if (!have_emp)
+            md_html = DOMPurify.sanitize(md_html);
    }
    catch (ex) {
        if (ext)
--- a/scripts/deps-docker/Dockerfile
+++ b/scripts/deps-docker/Dockerfile
@ -3,6 +3,7 @@ WORKDIR /z
 ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \
        ver_hashwasm=4.9.0 \
        ver_marked=4.3.0 \
+        ver_dompf=3.0.5 \
        ver_mde=2.18.0 \
        ver_codemirror=5.65.12 \
        ver_fontawesome=5.13.0 \
@ -13,6 +14,7 @@ ENV     ver_asmcrypto=c72492f4a66e17a0e5dd8ad7874de354f3ccdaa5 \
 # https://github.com/markedjs/marked/releases
 # https://github.com/Ionaru/easy-markdown-editor/tags
 # https://github.com/codemirror/codemirror5/releases
+# https://github.com/cure53/DOMPurify/releases
 # https://github.com/Daninet/hash-wasm/releases
 # https://github.com/openpgpjs/asmcrypto.js
 # https://github.com/google/zopfli/tags
@ -27,6 +29,7 @@ RUN     mkdir -p /z/dist/no-pk \
        && wget https://github.com/markedjs/marked/archive/v$ver_marked.tar.gz -O marked.tgz \
        && wget https://github.com/Ionaru/easy-markdown-editor/archive/$ver_mde.tar.gz -O mde.tgz \
        && wget https://github.com/codemirror/codemirror5/archive/$ver_codemirror.tar.gz -O codemirror.tgz \
+        && wget https://github.com/cure53/DOMPurify/archive/refs/tags/$ver_dompf.tar.gz -O dompurify.tgz \
        && wget https://github.com/FortAwesome/Font-Awesome/releases/download/$ver_fontawesome/fontawesome-free-$ver_fontawesome-web.zip -O fontawesome.zip \
        && wget https://github.com/google/zopfli/archive/zopfli-$ver_zopfli.tar.gz -O zopfli.tgz \
        && wget https://github.com/Daninet/hash-wasm/releases/download/v$ver_hashwasm/hash-wasm@$ver_hashwasm.zip -O hash-wasm.zip \
@ -48,6 +51,7 @@ RUN     mkdir -p /z/dist/no-pk \
            && cd easy-markdown-editor* \
            && npm install \
            && npm i gulp-cli -g ) \
+        && tar -xf dompurify.tgz \
        && tar -xf prism.tgz \
        && unzip fontawesome.zip \
        && tar -xf zopfli.tgz
@ -120,6 +124,10 @@ RUN     cd easy-markdown-editor-$ver_mde \
        && cp -pv dist/easymde.min.js /z/dist/easymde.js


+# build dompurify
+RUN     (echo; cat DOMPurify-$ver_dompf/dist/purify.min.js) >> /z/dist/marked.js
+
+
 # build fontawesome and scp
 COPY    mini-fa.sh /z
 COPY    mini-fa.css /z