Desktop: Security: Fixed possible XSS injection

packages/app-cli/tests/md_to_html/sanitize_13.html

@@ -0,0 +1 @@
+<div class="jop-noMdConv"><svg class="jop-noMdConv"><style class="jop-noMdConv">&lt;/svg>&lt;iframe srcdoc="&lt;script>top.require('child_process').execSync('calc')&lt;/script>">&lt;/iframe>&lt;/div>

packages/app-cli/tests/md_to_html/sanitize_13.md

@@ -0,0 +1 @@
+<div><svg><style></svg><iframe srcdoc="<script>top.require('child_process').execSync('calc')</script>"></iframe></div>

packages/renderer/htmlUtils.ts

@@ -235,11 +235,18 @@ class HtmlUtils {
 			ontext: (decodedText: string) => {
 				if (disallowedTagDepth) return;
 
+
 				if (currentTag() === 'style') {
-					// For CSS, we have to put the style as-is inside the tag because if we html-entities encode
-					// it, it's not going to work. But it's ok because JavaScript won't run within the style tag.
-					// Ideally CSS should be loaded from an external file.
-					output.push(decodedText);
+					// For CSS, we have to put the style as-is inside the tag
+					// because if we html-entities encode it, it's not going to
+					// work. But it's ok because JavaScript won't run within the
+					// style tag. Ideally CSS should be loaded from an external
+					// file.
+
+					// We however have to encode at least the `<` characters to
+					// prevent certain XSS injections that would rely on the
+					// content not being encoded (see sanitize_13.md)
+					output.push(decodedText.replace(/</g, '&lt;'));
 				} else {
 					output.push(htmlentities(decodedText));
 				}