feat: use dompurify to sanitize translations

Pin same version of `dompurify` used in Theia

Author: giacomocusinato

arduino-ide-extension/package.json

@@ -67,6 +67,7 @@
     "cross-fetch": "^3.1.5",
     "dateformat": "^3.0.3",
     "deepmerge": "^4.2.2",
+    "dompurify": "^2.4.7",
     "drivelist": "^9.2.4",
     "electron-updater": "^4.6.5",
     "fast-deep-equal": "^3.1.3",

arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx

@@ -17,6 +17,7 @@ import {
 } from '../../../common/protocol/ide-updater';
 import { LocalStorageService } from '@theia/core/lib/browser';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
+import { sanitize } from 'dompurify';
 
 @injectable()
 export class IDEUpdaterDialogProps extends DialogProps {}
@@ -173,9 +174,8 @@ export class IDEUpdaterDialog extends ReactDialog<UpdateInfo | undefined> {
     footer.appendChild(footerContent);
 
     const footerLink = document.createElement('a');
-    footerLink.innerText = nls.localize(
-      'arduino/ide-updater/donateLinkText',
-      'donate to support us'
+    footerLink.innerText = sanitize(
+      nls.localize('arduino/ide-updater/donateLinkText', 'donate to support us')
     );
     footerLink.classList.add('ide-updater-dialog--footer-link');
     footerLink.onclick = () =>
@@ -190,10 +190,12 @@ export class IDEUpdaterDialog extends ReactDialog<UpdateInfo | undefined> {
     footerLink.appendChild(footerLinkIcon);
 
     const placeholderKey = '%%link%%';
-    const footerText = nls.localize(
-      'arduino/ide-updater/donateText',
-      'Open source is love, {0}',
-      placeholderKey
+    const footerText = sanitize(
+      nls.localize(
+        'arduino/ide-updater/donateText',
+        'Open source is love, {0}',
+        placeholderKey
+      )
     );
     const placeholder = footerText.indexOf(placeholderKey);
     if (placeholder !== -1) {

arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx

@@ -6,6 +6,7 @@ import { nls } from '@theia/core';
 import { DialogProps } from '@theia/core/lib/browser';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
 import { AppService } from '../app-service';
+import { sanitize } from 'dompurify';
 
 @injectable()
 export class VersionWelcomeDialogProps extends DialogProps {}
@@ -87,10 +88,12 @@ export class VersionWelcomeDialog extends ReactDialog<void> {
     const { appVersion } = appInfo;
 
     if (appVersion) {
-      this.titleNode.innerHTML = nls.localize(
-        'arduino/versionWelcome/titleWithVersion',
-        'Welcome to the new Arduino IDE {0}!',
-        appVersion
+      this.titleNode.innerText = sanitize(
+        nls.localize(
+          'arduino/versionWelcome/titleWithVersion',
+          'Welcome to the new Arduino IDE {0}!',
+          appVersion
+        )
       );
     }
   }

yarn.lock

@@ -5937,6 +5937,11 @@ dompurify@^2.2.9:
   resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.7.tgz#277adeb40a2c84be2d42a8bcd45f582bfa4d0cfc"
   integrity sha512-kxxKlPEDa6Nc5WJi+qRgPbOAbgTpSULL+vI3NUXsZMlkJxTqYI9wg5ZTay2sFrdZRWHPWNi+EdAhcJf81WtoMQ==
 
+dompurify@^2.4.7:
+  version "2.5.7"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.5.7.tgz#6e0d36b9177db5a99f18ade1f28579db5ab839d7"
+  integrity sha512-2q4bEI+coQM8f5ez7kt2xclg1XsecaV9ASJk/54vwlfRRNQfDqJz2pzQ8t0Ix/ToBpXlVjrRIx7pFC/o8itG2Q==
+
 dot-case@^3.0.4:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/dot-case/-/dot-case-3.0.4.tgz#9b2b670d00a431667a8a75ba29cd1b98809ce751"