Merge 2d3f9aa into a7fa0d6

seanbudd · web-flow · commit 2d1a334176e7 · 2025-01-06T00:05:39.000Z
diff --git a/source/ui.py b/source/ui.py
@@ -21,13 +21,15 @@
 from comtypes import automation
 from comtypes import COMError
 from html import escape
+
+import nh3
 from logHandler import log
 import gui
 import speech
 import braille
 from config.configFlags import TetherTo
 import globalVars
-from typing import Optional
+from typing import Callable, Optional
 
 from utils.security import isRunningOnSecureDesktop
 
@@ -135,6 +137,7 @@ def browseableMessage(
 	isHtml: bool = False,
 	closeButton: bool = False,
 	copyButton: bool = False,
+	sanitizeHtmlFunc: Callable[[str], str] = nh3.clean,
 ) -> None:
 	"""Present a message to the user that can be read in browse mode.
 	The message will be presented in an HTML document.
@@ -144,6 +147,10 @@ def browseableMessage(
 	:param isHtml: Whether the message is html, defaults to False.
 	:param closeButton: Whether to include a "close" button, defaults to False.
 	:param copyButton: Whether to include a "copy" (to clipboard) button, defaults to False.
+	:param sanitizeHtmlFunc: How to sanitize the html message, if isHtml is True.
+	Defaults to `nh3.clean` with default arguments.
+	Ensure to sanitize the html message if the source of it could be untrusted.
+	Any translatable string, or user generated content should be sanitized.
 	"""
 	if isRunningOnSecureDesktop():
 		_warnBrowsableMessageNotAvailableOnSecureScreens(title)
@@ -179,10 +186,11 @@ def browseableMessage(
 	d.add("title", title)
 
 	if not isHtml:
-		message = f"<pre>{escape(message)}</pre>"
+		messageSanitized = f"<pre>{escape(message)}</pre>"
 	else:
-		log.warning("Passing raw HTML to ui.browseableMessage!")
-	d.add("message", message)
+		log.warning("Sanitizing raw HTML before passing to ui.browseableMessage!")
+		messageSanitized = sanitizeHtmlFunc(message)
+	d.add("message", messageSanitized)
 
 	# Translators: A notice to the user that a copy operation succeeded.
 	d.add("copySuccessfulAlertText", _("Text copied."))
diff --git a/user_docs/en/changes.md b/user_docs/en/changes.md
@@ -160,6 +160,11 @@ As the NVDA update check URL is now configurable directly within NVDA, no replac
 * The following symbols have been removed with no replacement: `languageHandler.getLanguageCliArgs`, `__main__.quitGroup` and `__main__.installGroup` . (#17486, @CyrilleB79)
 * Prefix matching on command line flags, e.g. using `--di` for `--disable-addons` is no longer supported. (#11644, @CyrilleB79)
 * The `useAsFallBack` keyword argument of `bdDetect.DriverRegistrar` has been renamed to `useAsFallback`. (#17521, @LeonarddeR)
+* In `NVDAObjects.window.scintilla.ScintillaTextInfo`, if no text is selected, the `collapse` method is overriden to expand to line if the `end` parameter is set to `True`. (#17431, @nvdaes)
+* `ui.browseableMessage` now takes a parameter `sanitizeHtmlFunc`.
+This defaults to `nh3.clean` with default arguments.
+This means any HTML passed into `ui.browseableMessage` using `isHtml=True` is now sanitized by default.
+To change sanitization rules, such as whitelisting tags or attributes, create a function that calls `nh3.clean` with the desired parameters. (#16985)
 
 #### Deprecations
 
