fix: harden sanitize-html xmp handling (GHSA-rpr9-rxv7-x643)

.gitignore

@@ -59,3 +59,4 @@ docker-compose.override.yaml
 CLAUDE.md
 .codex/
 AGENTS.md
+.serena

lib/allowlist.js

@@ -1,5 +1,7 @@
 const fs = require('node:fs');
 
+const RAW_TEXT_BYPASS_TAGS = Object.freeze(['xmp']);
+
 const DEFAULT_ALLOWLIST = Object.freeze({
     allowedTags: Object.freeze([
         'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'blockquote', 'ul', 'ol', 'li', 'br', 'hr',
@@ -16,8 +18,22 @@ const DEFAULT_ALLOWLIST = Object.freeze({
     }),
     allowedSchemes: Object.freeze(['http', 'https', 'mailto']),
     disallowedTagsMode: 'discard',
+    nonTextTags: Object.freeze(['script', 'style', 'textarea', 'option', ...RAW_TEXT_BYPASS_TAGS]),
 });
 
+function hardenAllowlist(config) {
+    const allowedTags = Array.isArray(config.allowedTags) ? config.allowedTags : [];
+    if (allowedTags.includes('xmp')) return config;
+
+    const nonTextTags = new Set(Array.isArray(config.nonTextTags) ? config.nonTextTags : []);
+    for (const tag of RAW_TEXT_BYPASS_TAGS) nonTextTags.add(tag);
+
+    return {
+        ...config,
+        nonTextTags: [...nonTextTags],
+    };
+}
+
 function loadAllowlist({ path = process.env.ALLOWLIST_FILE } = {}) {
     if (!path) return DEFAULT_ALLOWLIST;
 
@@ -53,7 +69,7 @@ function loadAllowlist({ path = process.env.ALLOWLIST_FILE } = {}) {
         throw new Error('ALLOWLIST_FILE: "allowedSchemes" must be an array');
     }
 
-    return parsed;
+    return hardenAllowlist(parsed);
 }
 
-module.exports = { DEFAULT_ALLOWLIST, loadAllowlist };
+module.exports = { DEFAULT_ALLOWLIST, loadAllowlist, hardenAllowlist };

package.json

@@ -31,7 +31,7 @@
     "express-rate-limit": "^8.5.1",
     "pino": "^10.3.1",
     "pino-http": "^11.0.0",
-    "sanitize-html": "^2.17.3"
+    "sanitize-html": "^2.17.4"
   },
   "devDependencies": {
     "@cyclonedx/cyclonedx-npm": "^4.2.1",

tests/allowlist.test.js

@@ -20,6 +20,7 @@ describe("loadAllowlist", () => {
     expect(loadAllowlist({ path: undefined })).toBe(DEFAULT_ALLOWLIST);
     expect(DEFAULT_ALLOWLIST.allowedTags).toContain("p");
     expect(DEFAULT_ALLOWLIST.allowedTags).not.toContain("script");
+    expect(DEFAULT_ALLOWLIST.nonTextTags).toContain("xmp");
   });
 
   it("reads a JSON file when a path is provided", () => {
@@ -34,6 +35,22 @@ describe("loadAllowlist", () => {
       const loaded = loadAllowlist({ path: file });
       expect(loaded.allowedTags).toEqual(["p", "em"]);
       expect(loaded.disallowedTagsMode).toBe("escape");
+      expect(loaded.nonTextTags).toContain("xmp");
+    } finally {
+      removeFixture(file);
+    }
+  });
+
+  it("does not force xmp into nonTextTags when xmp is explicitly allowed", () => {
+    const file = writeFixture("xmp-allowed", {
+      allowedTags: ["xmp"],
+      allowedAttributes: {},
+      disallowedTagsMode: "discard",
+    });
+
+    try {
+      const loaded = loadAllowlist({ path: file });
+      expect(loaded.nonTextTags).toBeUndefined();
     } finally {
       removeFixture(file);
     }

tests/validation.test.js

@@ -163,6 +163,21 @@ describe("Markdown Validator API", () => {
     });
   });
 
+  describe("sanitize-html hardening", () => {
+    it("drops xmp raw-text payloads instead of re-emitting active HTML", async () => {
+      const response = await request(app)
+        .post("/validate")
+        .send({ markdown: "<xmp><img src=x onerror=alert(1)></xmp>" })
+        .set("Content-Type", "application/json");
+
+      expect(response.status).toBe(200);
+      expect(response.body.safe).toBe(false);
+      expect(response.body.sanitized).not.toMatch(/<img/i);
+      expect(response.body.sanitized).not.toMatch(/onerror/i);
+      expect(response.body.sanitized).toBe("");
+    });
+  });
+
   describe("Front matter", () => {
     it("flags a front matter containing HTML as unsafe", async () => {
       const markdown = "---\ntitle: <script>alert(1)</script>\n---\n# hello\n";