From 0f7f9a864374424da03c44a9dda0dfe5215e763c Mon Sep 17 00:00:00 2001
From: mmattel <martin.mattel@diemattels.at>
Date: Wed, 2 Mar 2022 20:58:37 +0100
Subject: [PATCH 1/2] Fix highlight.js xss issue

---
 package.json                    |  9 ++++++--
 src/js/vendor/highlight.js      | 37 +++++++++++++++++----------------
 src/partials/footer-scripts.hbs |  6 +++---
 yarn.lock                       |  8 +++----
 4 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/package.json b/package.json
index 8dc1abaf..9f01595e 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "private": true,
   "name": "owncloud-ui",
   "description": "The ownCloud Core documentation",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "license": "AGPL-3.0",
   "author": "The ownCloud Team <docs@owncloud.com>",
   "homepage": "https://github.com/owncloud/docs-ui#readme",
@@ -35,9 +35,14 @@
   "dependencies": {
     "elasticsearch-browser": "^16.7.1",
     "handlebars": "^4.7.7",
-    "highlight.js": "^11.4.0",
+    "highlight.js": "9.18.3",
     "jquery": "^3.6.0"
   },
+  "dependenciesComments": {
+    "1": "DO NOT use ^9.18.3 for highlight.js because of a compatibility issue with Antora",
+    "2": "Upgrading to a release higher than 9.x will open a XSS vector because the incompatibility",
+    "3": "https://antora.zulipchat.com/#narrow/stream/282400-users/topic/Escape.20content.20in.20source.20block"
+  },
   "devDependencies": {
     "@ronilaukkarinen/gulp-stylelint": "^14.0.6",
     "autoprefixer": "^10.4.2",
diff --git a/src/js/vendor/highlight.js b/src/js/vendor/highlight.js
index ce765bb4..b0e7de74 100644
--- a/src/js/vendor/highlight.js
+++ b/src/js/vendor/highlight.js
@@ -1,18 +1,20 @@
 ;(function () {
   'use strict'
 
-// the following are additional keywords to be highlighted, particulary when using bash
-const CUSTOM_KEYWORDS = ['occ', 'apt', 'apt-get', 'systemctl', 'service', 'sudo',
-'dpkg', 'wget', 'tar', 'mysql', 'php', 'grep', 'pecl', 'pear', 'make', 
-'phpenmod', 'phpdismod', 'a2enmod', 'a2dismod', 'a2ensite', 'a2dissite'];
+// Additional keywords to be highlighted when using the bash language
+// Note that with version 9 of highlight.js, many keywords are missing compared to v10+
+const kwds_bash =
+'occ apt apt-get diff cat chown chmod dpkg exec mkdir systemctl service sudo ssh  touch ' +
+'docker docker-compose find grep make mysql openssl pecl pear php rsync tar wget ' + 
+'a2ensite a2dissite a2enmod a2dismod phpdismod phpenmod';
 
-var hljs = (window.hljs = require('highlight.js/lib/core'))
+// var hljs = (window.hljs = require('highlight.js/lib/core'))
+var hljs = require('highlight.js/lib/highlight')
   hljs.registerLanguage('apache', require('highlight.js/lib/languages/apache'))
   hljs.registerLanguage('asciidoc', require('highlight.js/lib/languages/asciidoc'))
   hljs.registerLanguage('bash', require('highlight.js/lib/languages/bash'))
   hljs.registerLanguage('clojure', require('highlight.js/lib/languages/clojure'))
   hljs.registerLanguage('cpp', require('highlight.js/lib/languages/cpp'))
-  hljs.registerLanguage('csharp', require('highlight.js/lib/languages/csharp'))
   hljs.registerLanguage('css', require('highlight.js/lib/languages/css'))
   hljs.registerLanguage('diff', require('highlight.js/lib/languages/diff'))
   hljs.registerLanguage('dockerfile', require('highlight.js/lib/languages/dockerfile'))
@@ -44,22 +46,21 @@ var hljs = (window.hljs = require('highlight.js/lib/core'))
   hljs.registerLanguage('xml', require('highlight.js/lib/languages/xml'))
   hljs.registerLanguage('yaml', require('highlight.js/lib/languages/yaml'))
 
-/* Add the additional keywords to the bash language
- * References: https://github.com/highlightjs/highlight.js/wiki/Adding-keywords-to-a-language-at-runtime
+/* Add additional keywords to the bash language
+ * Derived from: https://github.com/highlightjs/highlight.js/wiki/Adding-keywords-to-a-language-at-runtime
+ * Note that this is a special version for of highlight.js 9.x which uses strings instead of an array
  * Layout used and defined in highlight.css at .hljs-built_in
 */
-  hljs.getLanguage('bash').keywords.built_in.push(...CUSTOM_KEYWORDS);
-  // console.log(hljs.getLanguage('bash').keywords);
+  hljs.getLanguage('bash').keywords.built_in += ' ' + kwds_bash;
+  // console.log(hljs.getLanguage('bash').keywords.built_in);
 
-/* To eliminate the security messages in the browser telling:
- * "One of your code blocks includes unescaped HTML. This is a potentially serious security risk"
- * See: https://github.com/highlightjs/highlight.js/wiki/security
- * A hljs command has been added in partials/footer-scripts.hbs
- * hljs.configure({ ignoreUnescapedHTML: true })
- * This is not a security issue for us as we have a static site
+/* Do the same pattern matching as with version 11 of highlight.js
+ * See: https://github.com/highlightjs/highlight.js/pull/3494
 */
+  hljs.getLanguage('bash').lexemes = /\b[a-z][a-z0-9._-]+\b/;
+  // console.log(hljs.getLanguage('bash').lexemes);
+
   ;[].slice.call(document.querySelectorAll('pre code.hljs')).forEach(function (node) {
-    hljs.highlightElement(node)
+    hljs.highlightBlock(node)
   })
 })()
-
diff --git a/src/partials/footer-scripts.hbs b/src/partials/footer-scripts.hbs
index 5cc3420f..42e6af89 100644
--- a/src/partials/footer-scripts.hbs
+++ b/src/partials/footer-scripts.hbs
@@ -2,6 +2,6 @@
 {{#if env.ELASTICSEARCH_NODE}}
   <script src="{{uiRootPath}}/js/vendor/elastic.js"></script>
 {{/if}}
-<script src="{{uiRootPath}}/js/vendor/highlight.js"></script>
-<script>hljs.highlightAll()</script>
-<script>hljs.configure({ ignoreUnescapedHTML: true })</script>
+<script async src="{{{uiRootPath}}}/js/vendor/highlight.js"></script>
+{{! This is highlight.js v9.x syntax DON NOT upgrade to 10+}}
+{{! Also see package.json for details}}
diff --git a/yarn.lock b/yarn.lock
index 767b7dd1..a32a5339 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2894,10 +2894,10 @@ hash.js@^1.0.0, hash.js@^1.0.3:
     inherits "^2.0.3"
     minimalistic-assert "^1.0.1"
 
-highlight.js@^11.4.0:
-  version "11.4.0"
-  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-11.4.0.tgz#34ceadd49e1596ee5aba3d99346cdfd4845ee05a"
-  integrity sha512-nawlpCBCSASs7EdvZOYOYVkJpGmAOKMYZgZtUqSRqodZE0GRVcFKwo1RcpeOemqh9hyttTdd5wDBwHkuSyUfnA==
+highlight.js@9.18.3:
+  version "9.18.3"
+  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-9.18.3.tgz#a1a0a2028d5e3149e2380f8a865ee8516703d634"
+  integrity sha512-zBZAmhSupHIl5sITeMqIJnYCDfAEc3Gdkqj65wC1lpI468MMQeeQkhcIAvk+RylAkxrCcI9xy9piHiXeQ1BdzQ==
 
 hmac-drbg@^1.0.1:
   version "1.0.1"

From f611dfda8addc4c92dea1e2cd7b8116f02e5f890 Mon Sep 17 00:00:00 2001
From: mmattel <martin.mattel@diemattels.at>
Date: Wed, 2 Mar 2022 22:08:42 +0100
Subject: [PATCH 2/2] adding sed to the keyword list

---
 src/js/vendor/highlight.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/js/vendor/highlight.js b/src/js/vendor/highlight.js
index b0e7de74..c5997d92 100644
--- a/src/js/vendor/highlight.js
+++ b/src/js/vendor/highlight.js
@@ -4,7 +4,7 @@
 // Additional keywords to be highlighted when using the bash language
 // Note that with version 9 of highlight.js, many keywords are missing compared to v10+
 const kwds_bash =
-'occ apt apt-get diff cat chown chmod dpkg exec mkdir systemctl service sudo ssh  touch ' +
+'occ apt apt-get diff cat chown chmod dpkg exec mkdir systemctl sed service sudo ssh touch ' +
 'docker docker-compose find grep make mysql openssl pecl pear php rsync tar wget ' + 
 'a2ensite a2dissite a2enmod a2dismod phpdismod phpenmod';