fix display of highlight, which can leak html. (why doesn't ES scrub this, since it injects html itself???) [UFI-14]

eapearson · eapearson · commit 5a20ac135bf3 · 2022-04-13T08:08:22.000-07:00
diff --git a/dist.tgz b/dist.tgz
diff --git a/src/plugin/iframe_root/modules/components/narrative/data.js b/src/plugin/iframe_root/modules/components/narrative/data.js
@@ -1,4 +1,10 @@
-define(['bluebird', 'moment', 'knockout', '../../lib/searchApi'], function (Promise, moment, ko, SearchAPI) {
+define([
+    'bluebird',
+    'moment',
+    'knockout',
+    '../../lib/searchApi',
+    '../../lib/security'],
+(Promise, moment, ko, SearchAPI, security) => {
     'use strict';
 
     // For now, this fakes the search...
@@ -51,7 +57,7 @@ define(['bluebird', 'moment', 'knockout', '../../lib/searchApi'], function (Prom
                     label: label,
                     highlights: obj.highlight[field].map(function (highlight) {
                         return {
-                            highlight: highlight
+                            highlight: security.scrubHighlight(highlight)
                         };
                     })
                 });
diff --git a/src/plugin/iframe_root/modules/components/reference/data.js b/src/plugin/iframe_root/modules/components/reference/data.js
@@ -1,12 +1,16 @@
 define([
     'bluebird',
     'knockout',
+    'uuid',
     '../../lib/searchApi',
+    '../../lib/security',
     'yaml!../../data/stopWords.yml'
 ], function (
     Promise,
     ko,
+    Uuid,
     SearchAPI,
+    security,
     stopWordsDb
 ) {
     'use strict';
@@ -68,14 +72,15 @@ define([
                     console.warn('highlight field ' + field + ' not found in type spec', obj);
                 }
 
+
                 matches
                     .push({
                         id: field,
                         label: label,
                         highlights: obj.highlight[field]
                             .map((highlight) => {
                                 return {
-                                    highlight
+                                    highlight: security.scrubHighlight(highlight)
                                 };
                             })
                     });
diff --git a/src/plugin/iframe_root/modules/lib/security.js b/src/plugin/iframe_root/modules/lib/security.js
@@ -0,0 +1,19 @@
+define(['uuid'], (Uuid) => {
+    'use strict';
+
+    function encodeHTML(possibleHTML) {
+        const node = document.createElement('div');
+        node.innerHTML = possibleHTML;
+        return node.innerText;
+    }
+    function scrubHighlight(highlight) {
+        const emStart = new Uuid(4).format();
+        const emFinish = new Uuid(4).format();
+
+        const safe1 = highlight.replace('<em>', emStart).replace('</em>', emFinish);
+        const safe2 = encodeHTML(safe1);
+        return safe2.replace(emStart, '<em>').replace(emFinish, '</em>');
+    }
+
+    return {encodeHTML, scrubHighlight};
+});
