DEV: Update xss.js (#17216)

* DEV: Update xss.js

* Fix our hack

app/assets/javascripts/admin/package.json

@@ -19,7 +19,7 @@
     "ember-cli-babel": "^7.23.1",
     "ember-cli-htmlbars": "^6.0.1",
     "webpack": "^5.67.0",
-    "xss": "1.0.11"
+    "xss": "^1.0.13"
   },
   "devDependencies": {
     "@ember/optional-features": "^2.0.0",

app/assets/javascripts/pretty-text-bundle.js

@@ -5,7 +5,7 @@
 //= require ./pretty-text/addon/emoji/version
 //= require ./pretty-text/addon/emoji
 //= require ./pretty-text/addon/engines/discourse-markdown-it
-//= require xss.min
+//= require ./node_modules/xss/dist/xss.min
 //= require ./pretty-text/addon/allow-lister
 //= require ./pretty-text/addon/sanitizer
 //= require ./pretty-text/addon/oneboxer

app/assets/javascripts/pretty-text/engines/discourse-markdown/upload-protocol.js

@@ -31,16 +31,16 @@ function findUploadsInHtml(uploads, blockToken) {
   // image src attributes, and replace them with a placeholder.
   // Note that we can't use browser DOM APIs because this needs
   // to run in mini-racer.
-  const fakeAllowList = {};
-
   let foundImage = false;
-  const newContent = xss(blockToken.content, {
-    allowList: fakeAllowList,
+  let allowList;
+
+  const filter = new xss.FilterXSS({
+    allowList: [],
     allowCommentTag: true,
-    onTag(tag, html, options) {
+    onTag(tag, html, info) {
       // We're not using this for sanitizing, so allow all tags through
-      options.isWhite = true;
-      fakeAllowList[tag] = [];
+      info.isWhite = true;
+      allowList[tag] = [];
     },
     onTagAttr(tag, name, value) {
       if (tag === "img" && name === "src" && value.startsWith("upload://")) {
@@ -51,6 +51,10 @@ function findUploadsInHtml(uploads, blockToken) {
       return attr(name, value);
     },
   });
+
+  allowList = filter.options.whiteList;
+  const newContent = filter.process(blockToken.content);
+
   if (foundImage) {
     blockToken.content = newContent;
   }

app/assets/javascripts/pretty-text/package.json

@@ -19,7 +19,7 @@
     "ember-cli-babel": "^7.23.1",
     "ember-cli-htmlbars": "^6.0.1",
     "webpack": "^5.67.0",
-    "xss": "1.0.11"
+    "xss": "^1.0.13"
   },
   "devDependencies": {
     "@ember/optional-features": "^2.0.0",

app/assets/javascripts/wizard/package.json

@@ -19,7 +19,7 @@
     "ember-cli-babel": "^7.23.1",
     "ember-cli-htmlbars": "^6.0.1",
     "webpack": "^5.67.0",
-    "xss": "1.0.11"
+    "xss": "^1.0.13"
   },
   "devDependencies": {
     "@ember/optional-features": "^2.0.0",

app/assets/javascripts/yarn.lock

@@ -11376,10 +11376,10 @@ xmlhttprequest-ssl@~1.5.4:
   resolved "https://registry.yarnpkg.com/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz#c2876b06168aadc40e57d97e81191ac8f4398b3e"
   integrity sha1-wodrBhaKrcQOV9l+gRkayPQ5iz4=
 
-xss@1.0.11:
-  version "1.0.11"
-  resolved "https://registry.yarnpkg.com/xss/-/xss-1.0.11.tgz#211cb82e95b5071d4c75d597283c021157ebe46a"
-  integrity sha512-EimjrjThZeK2MO7WKR9mN5ZC1CSqivSl55wvUK5EtU6acf0rzEE1pN+9ZDrFXJ82BRp3JL38pPE6S4o/rpp1zQ==
+xss@^1.0.13:
+  version "1.0.13"
+  resolved "https://registry.yarnpkg.com/xss/-/xss-1.0.13.tgz#6e48f616128b39f366dfadc57411e1eb5b341c6c"
+  integrity sha512-clu7dxTm1e8Mo5fz3n/oW3UCXBfV89xZ72jM8yzo1vR/pIS0w3sgB3XV2H8Vm6zfGnHL0FzvLJPJEBhd86/z4Q==
   dependencies:
     commander "^2.20.3"
     cssfilter "0.0.10"

lib/pretty_text.rb

@@ -105,7 +105,7 @@ module PrettyText
 
     ctx_load(ctx, "#{Rails.root}/app/assets/javascripts/mini-loader.js")
     ctx_load(ctx, "#{Rails.root}/app/assets/javascripts/handlebars-shim.js")
-    ctx_load(ctx, "vendor/assets/javascripts/xss.min.js")
+    ctx_load(ctx, "#{Rails.root}/app/assets/javascripts/node_modules/xss/dist/xss.min.js")
     ctx.load("#{Rails.root}/lib/pretty_text/vendor-shims.js")
     ctx_load_manifest(ctx, "pretty-text-bundle.js")
     ctx_load_manifest(ctx, "markdown-it-bundle.js")