From cba2e466c8708c1a89ae2d766d31fa9d04d6f3be Mon Sep 17 00:00:00 2001
From: Lisa Knox <lisaknox83@gmail.com>
Date: Tue, 17 Oct 2023 16:36:44 -0400
Subject: [PATCH] 21026: applied sanitization in 4 files
 Arvados-DCO-1.1-Signed-off-by: Lisa Knox <lisa.knox@curii.com>

---
 src/common/html-sanitize.ts                                    | 2 +-
 src/views-components/main-app-bar/main-app-bar.tsx             | 3 ++-
 src/views/inactive-panel/inactive-panel.tsx                    | 3 ++-
 src/views/login-panel/login-panel.tsx                          | 3 ++-
 src/views/virtual-machine-panel/virtual-machine-user-panel.tsx | 3 ++-
 5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/common/html-sanitize.ts b/src/common/html-sanitize.ts
index 2bb43d081a..93ebfaa2ef 100644
--- a/src/common/html-sanitize.ts
+++ b/src/common/html-sanitize.ts
@@ -42,7 +42,7 @@ const domPurifyConfig: TDomPurifyConfig = {
         'sup',
         'ul',
     ],
-    ALLOWED_ATTR: ['src', 'width', 'height', 'href', 'alt', 'title'],
+    ALLOWED_ATTR: ['src', 'width', 'height', 'href', 'alt', 'title', 'style' ],
 };
 
 export const sanitizeHTML = (dirtyInput: string): string => DOMPurify.sanitize(dirtyInput, domPurifyConfig);
diff --git a/src/views-components/main-app-bar/main-app-bar.tsx b/src/views-components/main-app-bar/main-app-bar.tsx
index 60ce68e99d..c57d5cd85d 100644
--- a/src/views-components/main-app-bar/main-app-bar.tsx
+++ b/src/views-components/main-app-bar/main-app-bar.tsx
@@ -15,6 +15,7 @@ import { HelpMenu } from 'views-components/main-app-bar/help-menu';
 import { ReactNode } from "react";
 import { AdminMenu } from "views-components/main-app-bar/admin-menu";
 import { pluginConfig } from 'plugins';
+import { sanitizeHTML } from "common/html-sanitize";
 
 type CssRules = 'toolbar' | 'link';
 
@@ -47,7 +48,7 @@ export const MainAppBar = withStyles(styles)(
                     {pluginConfig.appBarLeft || <Grid container item xs={3} direction="column" justify="center">
                         <Typography variant='h6' color="inherit" noWrap>
                             <Link to={Routes.ROOT} className={props.classes.link}>
-                                <span dangerouslySetInnerHTML={{ __html: props.siteBanner }} /> ({props.uuidPrefix})
+                                <span dangerouslySetInnerHTML={{ __html: sanitizeHTML(props.siteBanner) }} /> ({props.uuidPrefix})
                 </Link>
                         </Typography>
                         <Typography variant="caption" color="inherit">
diff --git a/src/views/inactive-panel/inactive-panel.tsx b/src/views/inactive-panel/inactive-panel.tsx
index 064add3a6d..be76570697 100644
--- a/src/views/inactive-panel/inactive-panel.tsx
+++ b/src/views/inactive-panel/inactive-panel.tsx
@@ -10,6 +10,7 @@ import { StyleRulesCallback, WithStyles, withStyles } from '@material-ui/core/st
 import { ArvadosTheme } from 'common/custom-theme';
 import { navigateToLinkAccount } from 'store/navigation/navigation-action';
 import { RootState } from 'store/store';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 export type CssRules = 'root' | 'ontop' | 'title';
 
@@ -57,7 +58,7 @@ export const InactivePanelRoot = ({ classes, startLinking, inactivePageText, isL
         style={{ marginTop: 56, height: "100%" }}>
         <Grid item>
             <Typography>
-                <span dangerouslySetInnerHTML={{ __html: inactivePageText }} style={{ margin: "1em" }} />
+                <span dangerouslySetInnerHTML={{ __html: sanitizeHTML(inactivePageText) }} style={{ margin: "1em" }} />
             </Typography>
         </Grid>
         { !isLoginClusterFederation
diff --git a/src/views/login-panel/login-panel.tsx b/src/views/login-panel/login-panel.tsx
index 110097bee5..f834b3b6df 100644
--- a/src/views/login-panel/login-panel.tsx
+++ b/src/views/login-panel/login-panel.tsx
@@ -12,6 +12,7 @@ import { RootState } from 'store/store';
 import { LoginForm } from 'views-components/login-form/login-form';
 import Axios from 'axios';
 import { Config } from 'common/config';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 type CssRules = 'root' | 'container' | 'title' | 'content' | 'content__bolder' | 'button';
 
@@ -98,7 +99,7 @@ export const LoginPanel = withStyles(styles)(
             style={{ marginTop: 56, overflowY: "auto", height: "100%" }}>
             <Grid item className={classes.container}>
                 <Typography component="div">
-                    <div dangerouslySetInnerHTML={{ __html: welcomePage }} style={{ margin: "1em" }} />
+                    <div dangerouslySetInnerHTML={{ __html: sanitizeHTML(welcomePage) }} style={{ margin: "1em" }} />
                 </Typography>
                 {Object.keys(remoteHosts).length > 1 && loginCluster === "" &&
 
diff --git a/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx b/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
index 751ca5f190..56c92805e2 100644
--- a/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
+++ b/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
@@ -18,6 +18,7 @@ import parse from "parse-duration";
 import { CopyIcon } from 'components/icon/icon';
 import CopyToClipboard from 'react-copy-to-clipboard';
 import { snackbarActions, SnackbarKind } from 'store/snackbar/snackbar-actions';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 type CssRules = 'button' | 'codeSnippet' | 'link' | 'linkIcon' | 'rightAlign' | 'cardWithoutMachines' | 'icon' | 'chipsRoot' | 'copyIcon' | 'tableWrapper' | 'webshellButton';
 
@@ -269,7 +270,7 @@ const CardSSHSection = (props: VirtualMachineProps) =>
         <Card>
             <CardContent>
                 <Typography>
-                    <div dangerouslySetInnerHTML={{ __html: props.helpText }} style={{ margin: "1em" }} />
+                    <div dangerouslySetInnerHTML={{ __html: sanitizeHTML(props.helpText) }} style={{ margin: "1em" }} />
                 </Typography>
             </CardContent>
         </Card>
-- 
2.30.2