Website: Add syntax highlighting + security practices (#167)

* feat(website/static): added highligh go script

* feat(website/static): added highlight go theme

* feat(website/views): added syntax highlighting for files

* feat(website/views): highlighjs throw on unescaped html

* feat(website/views): added sanitize for marked output

* feat(website/static): added dompurify

* feat(docs/security): added dependencies guide for website

* feat(website/views): sanitize marked output in home

* fix(docs/security): typos

* fix(webiste/views): <script> type for packae_file dependencies

* feat(docs/security): added DOMPurify dependency

* fix(docs/security): typos

Author: loicttn

gnoland/docs/security.md

@@ -0,0 +1,20 @@
+# gno.land Website
+
+The gno.land website has 3 main dependencies:
+
+1. [UmbrellaJs](https://umbrellajs.com/) for DOM operations
+2. [MarkedJs](https://marked.js.org/) for Markdown to html compilation
+3. [HighlightJs](https://highlightjs.org/) for golang syntax highlighting
+4. [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize html (and avoid xss)
+
+Some security considerations:
+| | Umbrella Js | Marked Js | HighlightJs | DOMPurify |
+|---|---|---|---|---|
+| dependencies | 0 | 0 | 0 | 0 |
+| sanitize content | | [no](https://marked.js.org/#usage) | [throws an error](https://github.com/highlightjs/highlight.js/blob/7addd66c19036eccd7c602af61f1ed84d215c77d/src/highlight.js#L741) | [yes](https://github.com/cure53/DOMPurify#readme) |
+
+Best Practices:
+
+- **When using MarkedJs**: Always run the output of the marked compiler inside `DOMPurify.sanitize` before inserting it in the dom with `.innerHtml = `.
+- **When using DOMPurify**: Preferably use `{ USE_PROFILES: { html: true } }` option to allow html only. Content passed in the sanitizer must not be modified afterwards, and must directly be inserted in the DOM with innerHtml. Do not call `DOMPurify.sanitize` with the output of a previous `DOMPurify.sanitize` to avoid any mutation XSS risks.
+- **When using HighlightJs**: always configure it before with `hljs.configure({throwUnescapedHTML: true})` to throw before inserting html in the page if any unexpected html children are detected. The check is done [here](https://github.com/highlightjs/highlight.js/blob/7addd66c19036eccd7c602af61f1ed84d215c77d/src/highlight.js#L741).

gnoland/website/static/css/highlight.min.css

@@ -0,0 +1,13 @@
+pre code.hljs{display:block;overflow-x:auto;padding:1em}code.hljs{padding:3px 5px}/*!
+  Theme: StackOverflow Light
+  Description: Light theme as used on stackoverflow.com
+  Author: stackoverflow.com
+  Maintainer: @Hirse
+  Website: https://github.com/StackExchange/Stacks
+  License: MIT
+  Updated: 2021-05-15
+
+  Updated for @stackoverflow/stacks v0.64.0
+  Code Blocks: /blob/v0.64.0/lib/css/components/_stacks-code-blocks.less
+  Colors: /blob/v0.64.0/lib/css/exports/_stacks-constants-colors.less
+*/.hljs{color:#2f3337;background:#f6f6f6}.hljs-subst{color:#2f3337}.hljs-comment{color:#656e77}.hljs-attr,.hljs-doctag,.hljs-keyword,.hljs-meta .hljs-keyword,.hljs-section,.hljs-selector-tag{color:#015692}.hljs-attribute{color:#803378}.hljs-name,.hljs-number,.hljs-quote,.hljs-selector-id,.hljs-template-tag,.hljs-type{color:#b75501}.hljs-selector-class{color:#015692}.hljs-link,.hljs-regexp,.hljs-selector-attr,.hljs-string,.hljs-symbol,.hljs-template-variable,.hljs-variable{color:#54790d}.hljs-meta,.hljs-selector-pseudo{color:#015692}.hljs-built_in,.hljs-literal,.hljs-title{color:#b75501}.hljs-bullet,.hljs-code{color:#535a60}.hljs-meta .hljs-string{color:#54790d}.hljs-deletion{color:#c02d2e}.hljs-addition{color:#2f6f44}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}

gnoland/website/static/js/highlight.min.js

@@ -3,7 +3,8 @@
 <html>
     <head>
         <link rel="stylesheet" href="/static/css/app.css"/>
-        <script src="/static/js/marked.min.js"></script>
+        <script type="text/javascript" src="/static/js/marked.min.js"></script>
+        <script type="text/javascript" src="/static/js/purify.min.js"></script>
     </head>
     <body onload="main()">
 	<div id="header">
@@ -46,7 +47,7 @@
 	var doc = new DOMParser().parseFromString(window.contents, "text/html");
 	var contents = doc.documentElement.textContent
 	var parsed = marked.parse(contents);
-	document.getElementById("home").innerHTML = parsed;
+	document.getElementById("home").innerHTML = DOMPurify.sanitize(parsed, { USE_PROFILES: { html: true } });
 };
     </script>
 </html>

gnoland/website/static/js/purify.min.js

@@ -3,6 +3,8 @@
 <html>
     <head>
         <link rel="stylesheet" href="/static/css/app.css"/>
+        <link rel="stylesheet" href="/static/css/highlight.min.css"/>
+        <script type="text/javascript" src="/static/js/highlight.min.js"></script>
     </head>
     <body>
         <div id="header">
@@ -13,8 +15,14 @@
             {{ template "header_buttons" }}
         </div>
         <div id="package_file">
-            <pre>{{ .Data.FileContents }}</pre>
+            <pre><code>{{ .Data.FileContents }}</code></pre>
         </div>
     </body>
+    <script>
+        hljs.configure({
+            throwUnescapedHTML: true // important to avoid inserting escaped html
+        })
+        hljs.highlightAll() // applied to all <pre><code>...</code></pre>
+    </script>
 </html>
 {{- end -}}

gnoland/website/views/home.html

@@ -3,8 +3,9 @@
 <html>
     <head>
         <link rel="stylesheet" href="/static/css/app.css"/>
-        <script src="/static/js/marked.min.js"></script>
-        <script src="/static/js/umbrella.min.js"></script>
+        <script type="text/javascript" src="/static/js/marked.min.js"></script>
+        <script type="text/javascript" src="/static/js/umbrella.min.js"></script>
+        <script type="text/javascript" src="/static/js/purify.min.js"></script>
     </head>
     <body onload="main()">
 	<div id="header">
@@ -34,7 +35,7 @@
     });
 	var source = u("#source").text();
 	var parsed = marked.parse(source);
-	document.getElementById("realm_render").innerHTML = parsed;
+	document.getElementById("realm_render").innerHTML = DOMPurify.sanitize(parsed, { USE_PROFILES: { html: true } });
 };
     </script>
 </html>