Fix: #1390 prevent XSS attack

src/muya/lib/parser/render/renderInlines/htmlTag.js

@@ -1,6 +1,9 @@
+import createDOMPurify from 'dompurify'
 import { CLASS_OR_ID, BLOCK_TYPE6 } from '../../../config'
 import { snakeToCamel } from '../../../utils'
 
+const { sanitize } = createDOMPurify(window)
+
 export default function htmlTag (h, cursor, block, token, outerClass) {
   const { tag, openTag, closeTag, children, attrs } = token
   const className = children ? this.getClassName(outerClass, block, token, cursor) : CLASS_OR_ID['AG_GRAY']
@@ -34,8 +37,9 @@ export default function htmlTag (h, cursor, block, token, outerClass) {
         // if  tag is a block level element, use a inline element `span` to instead.
         // Because we can not nest a block level element in span element(line is span element)
         // we also recommand user not use block level element in paragraph. use block element in html block.
-        let selector = BLOCK_TYPE6.includes(tag) ? 'span' : tag
+        // Use code !sanitize(`<${tag}>`) to filter some malicious tags. for example: <embed>.
-        selector += `.${CLASS_OR_ID['AG_INLINE_RULE']}`
+        let selector = BLOCK_TYPE6.includes(tag) || !sanitize(`<${tag}>`) ? 'span' : tag
+        selector += `.${CLASS_OR_ID.AG_INLINE_RULE}`
         const data = {
           attrs: {},
           dataset: {}

src/muya/lib/parser/utils.js

@@ -7,7 +7,9 @@ export const PUNCTUATION_REG = new RegExp(/[!"#$%&'()*+,\-./:;<=>?@\[\]^_`{|}~\x
 export const WHITELIST_ATTRIBUTES = [
   'align', 'alt', 'checked', 'class', 'color', 'dir', 'disabled', 'for', 'height', 'hidden',
   'href', 'id', 'lang', 'lazyload', 'rel', 'spellcheck', 'src', 'srcset', 'start', 'style',
-  'target', 'title', 'type', 'value', 'width'
+  'target', 'title', 'type', 'value', 'width',
+  // Used in img
+  'data-align'
 ]
 
 // export const unicodeZsCategory = [