Sanitize browseableMessage html (#17581)
seanbudd
Member
seanbudd commented last week •
Link to issue number:
Fixes #16985
Summary of the issue:
ui.browsableMessage can inject unsanitized HTML into NVDA.
This is an issue if translations are passed in as unsanitized HTML.
Translations are fairly unregulated, translation strings are the only "code" included in NVDA without a direct review from NV Access or as a review as a dependency. If NVDA translations can perform RCE, we have a problem.
Considering no NVDA source code uses the isHtml functionality of this function currently, this isn't an active vector.
However, if we ever start using isHtml, it becomes an active vector, which is something we want to avoid and prevent from becoming a possibility.
Description of user facing changes
HTML is now sanitised for browseableMessages. This will only affect add-ons. It may cause some add-ons to lose formatting in browseableMessages that use HTML. To restore certain formatting, authors can update the whitelisting by calling nh3.clean with their own desired parameters.
Description of development approach
Added a sanitization function to browseableMessage.
