Desktop,Mobile: Allow internal links to target elements using the name attribute (#11671)

packages/app-cli/tests/md_to_html/sanitize_22.html

@@ -1,2 +1,3 @@
-<img src="test/" class="jop-noMdConv"/>
+<img src="test/" id="getElementById" class="jop-noMdConv"/>
-<img src="http://example.com/test.png" class="jop-noMdConv"/>
+<img src="http://example.com/test.png" id="getElementById" class="jop-noMdConv"/>
+<img id="test2" src="http://example.com/test.png" class="jop-noMdConv"/>

packages/app-cli/tests/md_to_html/sanitize_22.md

@@ -1,3 +1,5 @@
 <img name=getElementById src=test/>
 
 <IMG NAME="getElementById" SRC="http://example.com/test.png">
+
+<IMG NAME="test" ID="test2" SRC="http://example.com/test.png">

packages/renderer/htmlUtils.ts

@@ -285,6 +285,20 @@ class HtmlUtils {
 
 				attrs = { ...attrs };
 
+				// Allowing the 'name' attribute allows an attacker to overwrite
+				// DOM methods (e.g. getElementById) with elements.
+				if ('name' in attrs) {
+					const oldName = attrs['name'];
+					delete attrs['name'];
+
+					// For compatibility reasons, support rewriting name= as id=.
+					// This allows internal links specified with name="target" to continue
+					// to work.
+					if (!('id' in attrs)) {
+						attrs['id'] = oldName;
+					}
+				}
+
 				// Remove all the attributes that start with "on", which
 				// normally should be JavaScript events. A better solution
 				// would be to blacklist known events only but it seems the
@@ -308,12 +322,6 @@ class HtmlUtils {
 					attrs['href'] = '#';
 				}
 
-				// Allowing the 'name' attribute allows an attacker to overwrite
-				// DOM methods (e.g. getElementById) with elements.
-				if ('name' in attrs) {
-					delete attrs['name'];
-				}
-
 				// We need to clear any such attribute, otherwise it will
 				// make any arbitrary link open within the application.
 				if ('data-from-md' in attrs) {