From 1d3d61ead98141ce80bbbc4645bf34eac572b194 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sun, 4 Jul 2021 20:32:37 +0200
Subject: [PATCH] markdown: extend blocked tags in sanitizer

not all of those are really problematic, but it's always easier to
start out stricter than required and see if any user even would use
those.

It seems that we should probably switch to a white-list approach...

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/Parser.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Parser.js b/src/Parser.js
index fd148aa..779195f 100644
--- a/src/Parser.js
+++ b/src/Parser.js
@@ -14,7 +14,9 @@ Ext.define('Proxmox.Markdown', {
 	let _sanitize;
 	_sanitize = (node) => {
 	    if (node.nodeType === 3) return;
-	    if (node.nodeType !== 1 || /^(script|style|iframe|object|embed|svg)$/i.test(node.tagName)) {
+	    if (node.nodeType !== 1 ||
+		/^(script|style|form|select|option|optgroup|map|area|canvas|textarea|applet|font|iframe|audio|video|object|embed|svg)$/i.test(node.tagName)
+	    ) {
 		// could do node.remove() instead, but it's nicer UX if we keep the (encoded!) html
 		node.outerHTML = Ext.String.htmlEncode(node.outerHTML);
 		return;