SCEditor affected by DOM XSS via emoticon URL/HTML injection

@@ -213,6 +213,11 @@ var defaultCmds = {
 					html += '<div class="sceditor-color-column">';
 
 					column.split(',').forEach(function (color) {
+						// Only allow named, #aaa, hsl(1.1 50% / 1), etc.
+						if (!/^[\#a-z0-9\-\(\) \/%\.]+$/i.test(color)) {
+							color = '';
+						}
+
 						html +=
 							'<a href="#" class="sceditor-color-option"' +
 							' style="background-color: ' + color + '"' +
@@ -695,7 +700,8 @@ var defaultCmds = {
 
 				utils.each(emoticons, function (code, emoticon) {
 					dom.appendChild(line, dom.createElement('img', {
-						src: emoticonsRoot + (emoticon.url || emoticon),
+						src: escape.uriScheme(
+							emoticonsRoot + (emoticon.url || emoticon)),
 						alt: code,
 						title: emoticon.tooltip || code
 					}));
@@ -775,10 +781,12 @@ var defaultCmds = {
 			var editor = this;
 
 			defaultCmds.youtube._dropDown(editor, btn, function (id, time) {
+				// Set sanatise to false as sanatisaion is handled by
+				//  wysiwygEditorInsertHtml()
 				editor.wysiwygEditorInsertHtml(_tmpl('youtube', {
 					id: id,
 					time: time
-				}));
+				}, false, false));
 			});
 		},
 		tooltip: 'Insert a YouTube video'

@@ -1,13 +1,9 @@
-// Must start with a valid scheme
-// 		^
-// Schemes that are considered safe
-// 		(https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|
-// Relative schemes (//:) are considered safe
-// 		(\\/\\/)|
-// Image data URI's are considered safe
-// 		data:image\\/(png|bmp|gif|p?jpe?g);
-var VALID_SCHEME_REGEX =
-	/^(https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|(\/\/)|data:image\/(png|bmp|gif|p?jpe?g);/i;
+// Regex used by DOMPurify to filter URLs. Might as well match here as otherwise
+// URLs will be filtered out by DOMPurify anyway
+var VALID_URI_REGEX = /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
+// Safe image data URIs
+var VALID_DATA_REGEX = /^data:image\/(png|bmp|gif|p?jpe?g);/i;
+var WHITESPACE_REGEX = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g;
 
 /**
  * Escapes a string so it's safe to use in regex
@@ -65,15 +61,15 @@ export function entities(str, noQuotes) {
  *
  * http
  * https
- * sftp
+ * ftps
  * ftp
  * mailto
- * spotify
- * skype
- * ssh
- * teamspeak
  * tel
- * //
+ * callto
+ * sms
+ * cid
+ * xmpp
+ * matrix
  * data:image/(png|jpeg|jpg|pjpeg|bmp|gif);
  *
  * **IMPORTANT**: This does not escape any HTML in a url, for
@@ -85,20 +81,27 @@ export function entities(str, noQuotes) {
  */
 export function uriScheme(url) {
 	var	path,
-		// If there is a : before a / then it has a scheme
-		hasScheme = /^[^\/]*:/i,
 		location = window.location;
 
-	// Has no scheme or a valid scheme
-	if ((!url || !hasScheme.test(url)) || VALID_SCHEME_REGEX.test(url)) {
+	// Match previous behaviour for empty or data: URIs
+	if (!url || VALID_DATA_REGEX.test(url)) {
 		return url;
 	}
 
-	path = location.pathname.split('/');
-	path.pop();
+	// Invalid scheme so make relative
+	if (!VALID_URI_REGEX.test(url.replace(WHITESPACE_REGEX, ''))) {
+		path = location.pathname.split('/');
+		path.pop();
 
-	return location.protocol + '//' +
-		location.host +
-		path.join('/') + '/' +
-		url;
+		url = location.protocol + '//' +
+			location.host +
+			path.join('/') + '/' +
+			url;
+
+		if (!VALID_URI_REGEX.test(url.replace(WHITESPACE_REGEX, ''))) {
+			return '';
+		}
+	}
+
+	return url;
 };

@@ -571,17 +571,23 @@ export default function SCEditor(original, userOptions) {
 			options.height || dom.height(original)
 		);
 
-		// Add ios to HTML so can apply CSS fix to only it
-		var className = browser.ios ? ' ios' : '';
+		if (!domPurify.isValidAttribute('link', 'href', options.style)) {
+			options.style = '';
+		}
+
+		if (!/^[a-z\-0-9 ]+$/i.test(options.charset)) {
+			options.charset = 'UTF-8';
+		}
 
 		wysiwygDocument = wysiwygEditor.contentDocument;
 		wysiwygDocument.open();
 		wysiwygDocument.write(_tmpl('html', {
-			attrs: ' class="' + className + '"',
+			// Add ios to HTML so can apply CSS fix to only it
+			attrs: browser.ios ? ' class="ios"' : '',
 			spellcheck: options.spellcheck ? '' : 'spellcheck="false"',
 			charset: options.charset,
-			style: options.style
-		}));
+			style: escape.entities(options.style)
+		}, false, false));
 		wysiwygDocument.close();
 
 		wysiwygBody = wysiwygDocument.body;
@@ -969,7 +975,7 @@ export default function SCEditor(original, userOptions) {
 			// Preload the emoticon
 			if (options.emoticonsEnabled) {
 				preLoadCache.push(dom.createElement('img', {
-					src: root + (url.url || url)
+					src: escape.uriScheme(root + (url.url || url))
 				}));
 			}
 		});

@@ -1,6 +1,6 @@
 import * as dom from './dom.js';
 import * as escape from './escape.js';
-
+import DOMPurify from 'dompurify';
 
 /**
  * HTML templates used by the editor and default commands
@@ -92,18 +92,29 @@ var _templates = {
  * @param {string} name
  * @param {Object} [params]
  * @param {boolean} [createHtml]
+ * @param {boolean} [sanitize=true]
  * @returns {string|DocumentFragment}
  * @private
  */
-export default function (name, params, createHtml) {
+export default function (name, params, createHtml, sanitize) {
 	var template = _templates[name];
 
 	Object.keys(params).forEach(function (name) {
+		// Default to sanitizing
+		if (sanitize !== false) {
+			params[name] = escape.entities(String(params[name]));
+		}
+
 		template = template.replace(
 			new RegExp(escape.regex('{' + name + '}'), 'g'), params[name]
 		);
 	});
 
+	// Default to sanitizing
+	if (sanitize !== false) {
+		template = DOMPurify.sanitize(template, {ADD_ATTR: ['unselectable']});
+	}
+
 	if (createHtml) {
 		template = dom.parseHTML(template);
 	}

@@ -184,10 +184,14 @@
 
 			cover = container.appendChild(sceditor.dom.parseHTML(
 				'<div class="sceditor-dnd-cover" style="display: none">' +
-					'<p>' + editor._('Drop files here') + '</p>' +
+					'<p></p>' +
 				'</div>'
 			).firstChild);
 
+			cover.firstChild.appendChild(
+				document.createTextNode(editor._('Drop files here'))
+			);
+
 			container.addEventListener('dragover', handleDragOver);
 			container.addEventListener('dragleave', hideCover);
 			container.addEventListener('dragend', hideCover);

@@ -966,7 +966,7 @@ QUnit.test('[img]', function (assert) {
 	);
 
 	assert.ok(
-		!/src="jav/i.test(
+		/src="jav&/i.test(
 			this.parser.toHTML('[img]jav
ascript:alert(' +
 				'String.fromCharCode(88,83,83))[/img]')
 		),
@@ -1038,7 +1038,7 @@ QUnit.test('[url]', function (assert) {
 	);
 
 	assert.ok(
-		!/href="jav/i.test(
+		/href="jav&/i.test(
 			this.parser.toHTML('[url]jav
ascript:alert(' +
 				'String.fromCharCode(88,83,83))[/url]')
 		),

@@ -71,14 +71,13 @@ QUnit.test('uriScheme() - Valid schmes', function (assert) {
 		'http://localhost',
 		'https://example.com/test.html',
 		'ftp://localhost',
-		'sftp://example.com/test/',
+		'ftps://localhost',
 		'mailto:user@localhost',
-		'spotify:xyz',
-		'skype:xyz',
-		'ssh:user@host.com:22',
-		'teamspeak:12345',
 		'tel:12345',
+		'tel:+12345',
 		'//www.example.com/test?id=123',
+		'sms:12345',
+		'sms:+1234',
 		'data:image/png;test',
 		'data:image/gif;test',
 		'data:image/jpg;test',
@@ -106,7 +105,19 @@ QUnit.test('uriScheme() - Invalid schmes', function (assert) {
 	var urls = [
 		// eslint-disable-next-line no-script-url
 		'javascript:alert("XSS");',
+		'sftp://example.com/test/',
+		'skype:xyz',
+		'spotify:xyz',
+		'ssh:user@host.com:22',
+		'teamspeak:12345',
+		// eslint-disable-next-line no-script-url
+		'javascript:alert("XSS");//test.com/hello.html',
+		// eslint-disable-next-line no-script-url
+		'javascript:alert("XSS http://example.com");',
 		'jav	ascript:alert(\'XSS\');',
+		'jav\0ascript:alert(1)',
+		'jav\nascript:alert(1)',
+		'new://https://example.com',
 		'vbscript:msgbox("XSS")',
 		'data:application/javascript;alert("xss")'
 	];