use trusted html in issue reporter, fyi @RMacfarlane, #106395

Author: jrieken

src/vs/base/browser/dom.ts

@@ -15,6 +15,7 @@ import * as platform from 'vs/base/common/platform';
 import { URI } from 'vs/base/common/uri';
 import { FileAccess, RemoteAuthorities } from 'vs/base/common/network';
 import { BrowserFeatures } from 'vs/base/browser/canIUse';
+import { insane, InsaneOptions } from 'vs/base/common/insane/insane';
 
 export function clearNode(node: HTMLElement): void {
 	while (node.firstChild) {
@@ -1311,3 +1312,48 @@ export function detectFullscreen(): IDetectedFullscreen | null {
 	// Not in fullscreen
 	return null;
 }
+
+// -- sanitize and trusted html
+
+function newInsaneOptions(allowedTags: string[], allowedAttributesForAll: string[], allowedAttributes: Record<string, string[]>): InsaneOptions {
+	for (let tag of allowedTags) {
+		let array = allowedAttributes[tag];
+		if (!array) {
+			array = allowedAttributesForAll;
+		} else {
+			array = array.concat(allowedAttributesForAll);
+		}
+		allowedAttributes[tag] = array;
+	}
+	const value: InsaneOptions = {
+		allowedTags,
+		allowedAttributes,
+	};
+	return value;
+}
+
+
+const _ttpStaticHtml = window.trustedTypes?.createPolicy('staticHtml', {
+	createHTML(value, options: InsaneOptions) {
+		return insane(value, options);
+	}
+});
+
+export function sanitizeStaticHtml(value: string): TrustedHTML | string {
+
+	const options = newInsaneOptions(
+		['a', 'button', 'code', 'div', 'h1', 'h2', 'h3', 'input', 'label', 'li', 'p', 'pre', 'select', 'small', 'span', 'textarea', 'ul'],
+		['class', 'id', 'role', 'tabindex'],
+		{
+			'a': ['href'],
+			'button': ['data-href'],
+			'input': ['type', 'placeholder', 'checked', 'required'],
+			'label': ['for'],
+			'select': ['required'],
+			'span': ['data-command', 'role'],
+			'textarea': ['name', 'placeholder', 'required'],
+		}
+	);
+
+	return _ttpStaticHtml?.createHTML(value, options) ?? insane(value, options);
+}

src/vs/code/electron-sandbox/issue/issueReporterMain.ts

@@ -9,7 +9,7 @@ import { INativeHostService } from 'vs/platform/native/electron-sandbox/native';
 import { NativeHostService } from 'vs/platform/native/electron-sandbox/nativeHostService';
 import { ipcRenderer, process } from 'vs/base/parts/sandbox/electron-sandbox/globals';
 import { applyZoom, zoomIn, zoomOut } from 'vs/platform/windows/electron-sandbox/window';
-import { $, reset, windowOpenNoOpener } from 'vs/base/browser/dom';
+import { $, reset, sanitizeStaticHtml, windowOpenNoOpener } from 'vs/base/browser/dom';
 import { Button } from 'vs/base/browser/ui/button/button';
 import { CodiconLabel } from 'vs/base/browser/ui/codicons/codiconLabel';
 import * as collections from 'vs/base/common/collections';
@@ -58,7 +58,9 @@ export function startup(configuration: IssueReporterConfiguration) {
 	const platformClass = platform.isWindows ? 'windows' : platform.isLinux ? 'linux' : 'mac';
 	document.body.classList.add(platformClass); // used by our fonts
 
-	document.body.innerHTML = BaseHtml();
+	const baseHtml = sanitizeStaticHtml(BaseHtml());
+	document.body.innerHTML = baseHtml as unknown as string;
+
 	const issueReporter = new IssueReporter(configuration);
 	issueReporter.render();
 	document.body.style.display = 'block';