CVE-2020-27666

An attacker with access to the Strapi content manager can inject malicious HTML/JavaScript into a WYSIWYG field's content. When another user (such as an admin) views the preview of that content, the unsanitized Markdown-rendered HTML is executed in their browser, leading to stored cross-site scripting [CWE-79]. The attack requires the attacker to be able to create or edit content that uses the WYSIWYG editor, and the victim must open the preview for that content.

The vulnerability is in the WYSIWYG editor's preview feature within `packages/strapi-plugin-content-manager/admin/src/components/PreviewWysiwyg/index.js`. The fix adds a call to `sanitizeHtml()` on the rendered Markdown output before it is injected into the DOM, and introduces a new utility file `satinizeHtml.js` that configures the `sanitize-html` library with an allowlist of tags and attributes.

The patch introduces the `sanitize-html` library (version 2.1.1) as a dependency and creates a utility function `clean()` that passes rendered Markdown through `sanitizeHtml()` with a strict allowlist of allowed tags and attributes. The preview component now calls `sanitizeHtml(md.render(data))` instead of directly rendering the Markdown output. This prevents malicious HTML or JavaScript from being executed in the preview by stripping or escaping any content that does not match the configured allowlist.