use iframe to sandbox generated html

[UziTech]

Description

• Use an iframe to prevent xss on demo page
• Adds a warning to the readme and docs for displaying unsanitized output HTML
• Fixes xss vulnerability in demo page #1294

Contributor

• Test(s) exist to ensure functionality and minimize regression (if no tests added, list tests covering this PR); or,
• no tests required for this PR.
• If submitting new feature, it has been documented in the appropriate places.

Committer

In most cases, this should be a different person than the contributor.

• Draft GitHub release notes have been updated.
• CI is green (no forced merge required).
• Merge PR

[styfle]

Isn’t there a sanitize option in marked to prevent XSS? Or did we already remove that?

[UziTech]

Yes we do have a sanitize option. But I don't want the demo to show sanitize output if the user isn't looking for that.

Plus I think we should deprecate that option.

Descussion #1232

[styfle]

Ok if that's the case, should we add this iframe solution to the USING_ADVANCED.md docs to make it the preferred method of sanitizing rather than the sanitize option?

[UziTech]

The iframe solution wouldn't work well in most situations.

I think we should recommend something like DOMPurify if they are displaying user generated content.

DOMPurify.sanitize(marked(...));

[styfle]

The iframe solution wouldn't work well in most situations.

Why use it here? Maybe the demo should use DOMPurify?

[UziTech]

Because it's a demo. I don't want the user to see sanitized output if they don't specify the sanitize option

[styfle]

@UziTech That makes sense.

---

@joshbruce or @davisjam can you take a look at this?

[joshbruce]

Hey! Sorry been kinda quiet - lots going on with the day job. Would like @davisjam to take a look just in there's any security weirdness though I don't think there should be (brain a little fried).

[lirantal]

Thanks for the security disclaimer notice, appreciate the awareness you set for users 👍

[davisjam]

Could link to the docs on sanitize here.

[davisjam]

I don't see the sanitize option documented clearly anywhere. The USING_ADVANCED.md docs say:

|sanitize    |`boolean` |`false`  |???      |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.|
|sanitizer   |`function`|`null`   |???      |A function to sanitize the HTML passed into `markdownString`.|

This sounds a bit circular to me.

Thoughts on:

• Enhancing the description there (and explicitly mentioning the XSS possibility)?
• Directing readers to the advanced docs from the regular docs for security considerations?

[UziTech]

I still say we deprecate the sanitize and sanitizer options and recommend

DOMPurify.sanitize(marked(...));

like in #1232 (comment)

marked should be all about converting markdown to HTML and let other packages handle the sanitizing and displaying the HTML.

[styfle]

I'm going to merge this because it addresses sanitization of marked.js.org and we shouldn't leave this XSS vulnerability lingering any longer.

If anyone wants to update the docs to make this sanitation process clearer, feel free to submit a new PR.

Thanks!