From f502da812a6d08df7f7688598c56582f1ec51ae6 Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Mon, 15 May 2017 20:37:56 +0530
Subject: [PATCH] Sandbox comments HTML

---
 src/pyj/book_list/book_details.pyj |  7 +++----
 src/pyj/book_list/details_list.pyj | 12 +++++++-----
 src/pyj/utils.pyj                  | 11 +++++++++++
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/src/pyj/book_list/book_details.pyj b/src/pyj/book_list/book_details.pyj
index fb887ac0ea..462793e7f1 100644
--- a/src/pyj/book_list/book_details.pyj
+++ b/src/pyj/book_list/book_details.pyj
@@ -12,7 +12,7 @@ from modals import error_dialog, create_custom_dialog
 from widgets import create_spinner, create_button
 from date import format_date
 from session import get_interface_data
-from utils import fmt_sidx, parse_url_params, conditional_timeout, safe_set_inner_html
+from utils import fmt_sidx, parse_url_params, conditional_timeout, safe_set_inner_html, sandboxed_html
 
 from book_list.router import back, open_book, home
 from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library
@@ -115,7 +115,7 @@ def render_metadata(mi, table, book_id, field_list=None):  # {{{
 
         table.appendChild(E.tr(E.td(name + ':'), E.td()))
         if is_html:
-            table.lastChild.lastChild.innerHTML = val + ''
+            table.lastChild.lastChild.appendChild(sandboxed_html(val + ''))
         else:
             if not join:
                 add_val(val)
@@ -266,8 +266,7 @@ def render_metadata(mi, table, book_id, field_list=None):  # {{{
     for i, field in enumerate(sorted(comments)):
         fm = field_metadata[field]
         comment = comments[field]
-        div = E.div()
-        div.innerHTML = comment
+        div = E.div(sandboxed_html(comment))
         if fm.display?.heading_position is 'above':
             name = fm.name or field
             div.insertBefore(E.h3(name), div.firstChild or None)
diff --git a/src/pyj/book_list/details_list.pyj b/src/pyj/book_list/details_list.pyj
index ed3b36211a..0ff4aa9ecb 100644
--- a/src/pyj/book_list/details_list.pyj
+++ b/src/pyj/book_list/details_list.pyj
@@ -7,7 +7,7 @@ from gettext import gettext as _
 
 from dom import build_rule, clear, set_css, svgicon
 from session import get_interface_data
-from utils import fmt_sidx
+from utils import fmt_sidx, sandboxed_html
 
 DETAILS_LIST_CLASS = 'book-list-details-list'
 ITEM_CLASS = DETAILS_LIST_CLASS + '-item'
@@ -29,7 +29,9 @@ def details_list_css():
     ans += build_rule(s, margin_right='1em', min_width=f'{THUMBNAIL_MAX_WIDTH}px')
     ans += build_rule(s + ' > img', border_radius=BORDER_RADIUS+'px', max_height=f'{THUMBNAIL_MAX_HEIGHT}px', max_width=f'{THUMBNAIL_MAX_WIDTH}px')
     s = sel + ' .details-list-right'
-    ans += build_rule(s, flex_grow='10', overflow='hidden')
+    ans += build_rule(s, flex_grow='10', overflow='hidden', display='flex', flex_direction='column')
+    s += ' iframe'
+    ans += build_rule(s, flex_grow='10', height='50px')
     return ans
 
 
@@ -59,10 +61,10 @@ def create_item(book_id, metadata, create_image, show_book_details):
     img.dataset.title, img.dataset.authors = metadata.title, authors
     img_div = E.div(img, class_='details-list-left')
     extra_data = E.div(style='text-align: right')
-    comments = E.div(style='margin-top: 1ex')
+    comments = sandboxed_html(metadata.comments, 'html { overflow: hidden }')
+    comments.style.display = 'block' if metadata.comments else 'none'
+    comments.style.marginTop = '1ex'
     interface_data = get_interface_data()
-    if metadata.comments:
-        comments.innerHTML = metadata.comments
     if metadata.rating:
         stars = E.span(style='white-space:nowrap')
         for i in range(int(metadata.rating) // 2):
diff --git a/src/pyj/utils.pyj b/src/pyj/utils.pyj
index deb08eddce..63b828827f 100644
--- a/src/pyj/utils.pyj
+++ b/src/pyj/utils.pyj
@@ -221,6 +221,17 @@ def safe_set_inner_html(elem, html):
     elem.innerHTML = simple_markup(html)
 
 
+def sandboxed_html(html, style):
+    ans = document.createElement('iframe')
+    ans.setAttribute('sandbox', '')
+    ans.setAttribute('seamless', '')
+    ans.style.width = '100%'
+    html = html or ''
+    css = 'html, body { margin: 0; padding: 0; } p:first-child { margin-top: 0; padding-top: 0; -webkit-margin-before: 0 }'
+    css += style or ''
+    ans.srcdoc = f'<html><head><style>{css}</style></head><body>{html}</body></html>'
+    return ans
+
 if __name__ is '__main__':
     from pythonize import strings
     strings()