Applies DOMSanitize.sanitize to innerHTML write

[LukeWood]

This commit sanitizes the text applied to innerHTML of the linkNode
attribute on OpenUriCommandHandler. This is an attempt to limit the
xss sink surface in Theia.

If there is no reason to do so or this breaks some intended behavior
please leave a comment indicating so.

Signed-off-by: Luke Wood lukewood@google.com

Change-Id: Ibee9829b3a44f87d15c9d46b9bc342332e5ccf08

What it does

sanitizes text assigned to innerHTML in an anchor element

How to test

This is not to address a specific bug - just a precaution.

[LukeWood]

just accepted CLA

[LukeWood]

Any update on this one?

[vince-fugnitto]

Sorry about the delay, I didn't get the notification 👍
The changes look good to me, thank you for taking care of it!

[vince-fugnitto]

@LukeWood can you include the dompurify dependency as part of @theia/plugin-ext (at the moment it is only provided by @theia/preview)? This will ensure that if a downstream app includes @theia/plugin-ext and not @theia/preview it will still work correctly.

[vince-fugnitto]

@LukeWood would you like me to take care of the outstanding issue #8388 (review) so it can be merged?

[LukeWood]

apologies - I didn't realize there were still outstanding issues. If you could do that it would be great - I though I pushed a local copy but I must be mistaken

[vince-fugnitto]

apologies - I didn't realize there were still outstanding issues. If you could do that it would be great - I though I pushed a local copy but I must be mistaken

No problem! I updated the pull-request to include the necessary dependencies in the plugin-ext extension. I'll wait for CI to pass and likely merge tomorrow morning.