Desktop: Sanitize rendered output in safe mode (#8507)

.eslintignore

@@ -92,6 +92,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
 packages/app-cli/app/setupCommand.js
 packages/app-cli/app/utils/testUtils.js
 packages/app-cli/tests/HtmlToMd.js
+packages/app-cli/tests/MarkupToHtml.js
 packages/app-cli/tests/MdToHtml.js
 packages/app-cli/tests/services/keychain/KeychainService.js
 packages/app-cli/tests/services/plugins/PluginService.js

.gitignore

@@ -77,6 +77,7 @@ packages/app-cli/app/services/plugins/PluginRunner.js
 packages/app-cli/app/setupCommand.js
 packages/app-cli/app/utils/testUtils.js
 packages/app-cli/tests/HtmlToMd.js
+packages/app-cli/tests/MarkupToHtml.js
 packages/app-cli/tests/MdToHtml.js
 packages/app-cli/tests/services/keychain/KeychainService.js
 packages/app-cli/tests/services/plugins/PluginService.js

packages/app-cli/tests/MarkupToHtml.ts

@@ -1,5 +1,5 @@
 
-const MarkupToHtml = require('@joplin/renderer/MarkupToHtml').default;
+import MarkupToHtml, { MarkupLanguage, RenderResult } from '@joplin/renderer/MarkupToHtml';
 
 describe('MarkupToHtml', () => {
 
@@ -31,7 +31,7 @@ describe('MarkupToHtml', () => {
 				const input = t[0];
 				const expected = t[1];
 				const actual = service.stripMarkup(Number(markup), input);
-				expect(actual).toBe(expected, `Markup: ${markup}`);
+				expect(actual).toBe(expected);
 			}
 		}
 
@@ -40,4 +40,18 @@ describe('MarkupToHtml', () => {
 		expect(service.stripMarkup(1, 'one line\n    two line', { collapseWhiteSpaces: true })).toBe('one line two line');
 	}));
 
+
+	test('should escape HTML in safe mode', async () => {
+		const service = new MarkupToHtml({ isSafeMode: true });
+
+		const testString = '</pre>.<b>Test</b>';
+		const expectedOutput: RenderResult = {
+			html: '<pre>&lt;/pre&gt;.&lt;b&gt;Test&lt;/b&gt;</pre>',
+			cssStrings: [],
+			pluginAssets: [],
+		};
+
+		expect(await service.render(MarkupLanguage.Html, testString, {}, {})).toMatchObject(expectedOutput);
+		expect(await service.render(MarkupLanguage.Markdown, testString, {}, {})).toMatchObject(expectedOutput);
+	});
 });

packages/renderer/MarkupToHtml.ts

@@ -2,6 +2,7 @@ import MdToHtml from './MdToHtml';
 import HtmlToHtml from './HtmlToHtml';
 import htmlUtils from './htmlUtils';
 import { Options as NoteStyleOptions } from './noteStyle';
+import { AllHtmlEntities } from 'html-entities';
 const MarkdownIt = require('markdown-it');
 
 export enum MarkupLanguage {
@@ -113,8 +114,9 @@ export default class MarkupToHtml {
 
 	public async render(markupLanguage: MarkupLanguage, markup: string, theme: any, options: any): Promise<RenderResult> {
 		if (this.options_.isSafeMode) {
+			const htmlentities = new AllHtmlEntities();
 			return {
-				html: `<pre>${markup}</pre>`,
+				html: `<pre>${htmlentities.encode(markup)}</pre>`,
 				cssStrings: [],
 				pluginAssets: [],
 			};