Merge vscode source through 1.62 release (#19981)

* Build breaks 1 * Build breaks * Build breaks * Build breaks * More build breaks * Build breaks (#2512) * Runtime breaks * Build breaks * Fix dialog location break * Update typescript * Fix ASAR break issue * Unit test breaks * Update distro * Fix breaks in ADO builds (#2513) * Bump to node 16 * Fix hygiene errors * Bump distro * Remove reference to node type * Delete vscode specific extension * Bump to node 16 in CI yaml * Skip integration tests in CI builds (while fixing) * yarn.lock update * Bump moment dependency in remote yarn * Fix drop-down chevron style * Bump to node 16 * Remove playwrite from ci.yaml * Skip building build scripts in hygine check
2026-02-16 10:58:30 -05:00 · 2022-07-11 14:09:32 -07:00
parent fa0fcef303
commit 26455e9113
1876 changed files with 72050 additions and 37997 deletions
--- a/src/vs/base/browser/dom.ts
+++ b/src/vs/base/browser/dom.ts
@@ -10,10 +10,10 @@ import { IMouseEvent, StandardMouseEvent } from 'vs/base/browser/mouseEvent';
 import { TimeoutTimer } from 'vs/base/common/async';
 import { onUnexpectedError } from 'vs/base/common/errors';
 import { Emitter, Event } from 'vs/base/common/event';
-import { insane, InsaneOptions } from 'vs/base/common/insane/insane';
+import * as dompurify from 'vs/base/browser/dompurify/dompurify';
 import { KeyCode } from 'vs/base/common/keyCodes';
 import { Disposable, DisposableStore, IDisposable, toDisposable } from 'vs/base/common/lifecycle';
-import { FileAccess, RemoteAuthorities } from 'vs/base/common/network';
+import { FileAccess, RemoteAuthorities, Schemas } from 'vs/base/common/network';
 import * as platform from 'vs/base/common/platform';
 import { withNullAsUndefined } from 'vs/base/common/types';
 import { URI } from 'vs/base/common/uri';
@@ -1153,11 +1153,11 @@ export function finalHandler<T extends DOMEvent>(fn: (event: T) => any): (event:
 	};
 }

-export function domContentLoaded(): Promise<any> {
-	return new Promise<any>(resolve => {
+export function domContentLoaded(): Promise<unknown> {
+	return new Promise<unknown>(resolve => {
 		const readyState = document.readyState;
 		if (readyState === 'complete' || (document && document.body !== null)) {
-			platform.setImmediate(resolve);
+			resolve(undefined);
 		} else {
 			window.addEventListener('DOMContentLoaded', resolve, false);
 		}
@@ -1361,53 +1361,41 @@ export function detectFullscreen(): IDetectedFullscreen | null {

 // -- sanitize and trusted html

-function _extInsaneOptions(opts: InsaneOptions, allowedAttributesForAll: string[]): InsaneOptions {
-
-	let allowedAttributes: Record<string, string[]> = opts.allowedAttributes ?? {};
-
-	if (opts.allowedTags) {
-		for (let tag of opts.allowedTags) {
-			let array = allowedAttributes[tag];
-			if (!array) {
-				array = allowedAttributesForAll;
-			} else {
-				array = array.concat(allowedAttributesForAll);
-			}
-			allowedAttributes[tag] = array;
-		}
-	}
-
-	return { ...opts, allowedAttributes };
-}
-
-const _ttpSafeInnerHtml = window.trustedTypes?.createPolicy('safeInnerHtml', {
-	createHTML(value, options: InsaneOptions) {
-		return insane(value, options);
-	}
-});
-
 /**
 * Sanitizes the given `value` and reset the given `node` with it.
 */
 export function safeInnerHtml(node: HTMLElement, value: string): void {
+	const options: dompurify.Config = {
+		ALLOWED_TAGS: ['a', 'button', 'blockquote', 'code', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'input', 'label', 'li', 'p', 'pre', 'select', 'small', 'span', 'strong', 'textarea', 'ul', 'ol'],
+		ALLOWED_ATTR: ['href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code', 'width', 'height', 'align', 'x-dispatch', 'required', 'checked', 'placeholder', 'type'],
+		RETURN_DOM: false,
+		RETURN_DOM_FRAGMENT: false,
+	};

-	const options = _extInsaneOptions({
-		allowedTags: ['a', 'button', 'blockquote', 'code', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'input', 'label', 'li', 'p', 'pre', 'select', 'small', 'span', 'strong', 'textarea', 'ul', 'ol'],  // {{SQL CARBON EDIT}} Add i & img tags for welcome page support
-		allowedAttributes: {
-			'a': ['href', 'x-dispatch'],
-			'button': ['data-href', 'x-dispatch'],
-			'input': ['type', 'placeholder', 'checked', 'required'],
-			'img': ['src', 'alt', 'title', 'aria-label'], // {{SQL CARBON EDIT}} Add img for welcome page support
-			'label': ['for'],
-			'select': ['required'],
-			'span': ['data-command', 'role'],
-			'textarea': ['name', 'placeholder', 'required'],
-		},
-		allowedSchemes: ['http', 'https', 'command', 'vscode-file'] // {{SQL CARBON EDIT}} Add allowed schema for welcome page support
-	}, ['class', 'id', 'role', 'tabindex']);
+	const allowedProtocols = [Schemas.http, Schemas.https, Schemas.command];

-	const html = _ttpSafeInnerHtml?.createHTML(value, options) ?? insane(value, options);
-	node.innerHTML = html as string;
+	// https://github.com/cure53/DOMPurify/blob/main/demos/hooks-scheme-allowlist.html
+	dompurify.addHook('afterSanitizeAttributes', (node) => {
+		// build an anchor to map URLs to
+		const anchor = document.createElement('a');
+
+		// check all href/src attributes for validity
+		for (const attr in ['href', 'src']) {
+			if (node.hasAttribute(attr)) {
+				anchor.href = node.getAttribute(attr) as string;
+				if (!allowedProtocols.includes(anchor.protocol)) {
+					node.removeAttribute(attr);
+				}
+			}
+		}
+	});
+
+	try {
+		const html = dompurify.sanitize(value, { ...options, RETURN_TRUSTED_TYPE: true });
+		node.innerHTML = html as unknown as string;
+	} finally {
+		dompurify.removeHook('afterSanitizeAttributes');
+	}
 }

 /**