ckeditor: add source back and sanitize input

Author: zubeydecivelek

LICENSE

@@ -338,3 +338,5 @@ proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Library General
 Public License instead of this License.
+
+Includes DOMPurify, licensed under the MPL-2.0.

cds/modules/deposit/static/json/cds_deposit/forms/project.json

@@ -53,6 +53,9 @@
                   "Replace",
                   "-",
                   "RemoveFormat"
+                ],
+                [
+                  "Source"
                 ]
               ],
               "disableNativeSpellChecker": false,

cds/modules/deposit/static/json/cds_deposit/forms/video.json

@@ -52,6 +52,9 @@
                 "Replace",
                 "-",
                 "RemoveFormat"
+              ],
+              [
+                "Source"
               ]
             ],
             "disableNativeSpellChecker": false,

cds/modules/theme/assets/bootstrap3/js/cds_deposit/avc/avc.module.js

@@ -28,6 +28,7 @@ import "angular-ui-sortable";
 
 // CKEditor
 import "ckeditor";
+import "../ckeditor-sanitizer";
 import "rr-ng-ckeditor/ng-ckeditor";
 import "angular-schema-form-ckeditor/bootstrap-ckeditor";
 

cds/modules/theme/assets/bootstrap3/js/cds_deposit/ckeditor-sanitizer.js

@@ -0,0 +1,77 @@
+/**
+ * CKEditor HTML Sanitizer
+ * Sanitizes HTML content using DOMPurify to prevent XSS attacks
+ */
+import DOMPurify from "dompurify";
+
+// Sanitization config - matches backend allowed tags
+var sanitizeConfig = {
+  ALLOWED_TAGS: [
+    "a",
+    "abbr",
+    "acronym",
+    "b",
+    "blockquote",
+    "br",
+    "code",
+    "col",
+    "colgroup",
+    "div",
+    "table",
+    "tbody",
+    "tfoot",
+    "thead",
+    "td",
+    "th",
+    "tr",
+    "em",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "i",
+    "li",
+    "ol",
+    "p",
+    "pre",
+    "s",
+    "span",
+    "strike",
+    "strong",
+    "sub",
+    "sup",
+    "u",
+    "ul",
+  ],
+  ALLOWED_ATTR: ["style", "dir", "lang", "color"],
+  ALLOW_STYLE: true,
+  ALLOW_DATA_ATTR: false,
+};
+
+function sanitizeHtml(html) {
+  if (!html || typeof html !== "string") {
+    return html;
+  }
+  return DOMPurify.sanitize(html, sanitizeConfig);
+}
+
+// Initialize sanitization when CKEditor instances are ready
+if (typeof window !== "undefined" && window.CKEDITOR) {
+  window.CKEDITOR.on("instanceReady", function (ev) {
+    var editor = ev.editor;
+
+    // Store original getData method
+    var originalGetData = editor.getData;
+
+    // Sanitize when content is retrieved (before saving)
+    editor.getData = function (noEvents) {
+      var data = originalGetData.call(this, noEvents);
+      if (data) {
+        return sanitizeHtml(data);
+      }
+      return data;
+    };
+  });
+}
+

cds/modules/theme/webpack.py

@@ -97,6 +97,7 @@
                 "angular-schema-form-ckeditor": "git+https://github.com/CERNDocumentServer/cds-videos-angular-schema-ckeditor",
                 "ckeditor": "4.12.1",
                 "rr-ng-ckeditor": "~0.2.1",
+                "dompurify": "^2.4.5",
                 # needed because ci fails on tests otherwise. not imported in any bundle
                 "semantic-ui-less": "^2.4.1",
                 "vtt.js": "~0.13.0",