From 440e24540f726de21a1f8906c159c23d4cf316ff Mon Sep 17 00:00:00 2001
From: Lars <lars@serlo.org>
Date: Mon, 23 Dec 2024 11:19:06 +0100
Subject: [PATCH 1/3] fix(plugin-edusharing): use DomPurify to sanitize embed
 html from edu-sharing

---
 .../editor/src/plugins/edusharing-asset/renderer.tsx   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/editor/src/plugins/edusharing-asset/renderer.tsx b/packages/editor/src/plugins/edusharing-asset/renderer.tsx
index d5ee58120f..5d156c29d0 100644
--- a/packages/editor/src/plugins/edusharing-asset/renderer.tsx
+++ b/packages/editor/src/plugins/edusharing-asset/renderer.tsx
@@ -1,5 +1,6 @@
 import EdusharingIcon from '@editor/editor-ui/assets/edusharing.svg'
 import { IframeResizer } from '@open-iframe-resizer/react'
+import DOMPurify from 'dompurify'
 import * as t from 'io-ts'
 import { memo, useEffect, useState } from 'react'
 
@@ -86,8 +87,15 @@ export function EdusharingAssetRenderer(props: {
 
       const html = buildHtml(htmlSnippet, defineContainerHeight)
 
+      const sanatizedHtml = DOMPurify.sanitize(html, {
+        // We allow <script> and <iframe> elements. Those are part of the html snippet we get from edu-sharing and cannot be removed or the embed will break. <script> elements cannot be manipulated by the user and we can trust them.
+        ADD_TAGS: ['script', 'iframe'],
+        // Return entire html document including <html>, <body>, ...
+        WHOLE_DOCUMENT: true,
+      })
+
       setEmbedType(embedType)
-      setEmbedHtml(html)
+      setEmbedHtml(sanatizedHtml)
       setDefineContainerHeight(defineContainerHeight)
     }
 

From 05b54fa9ef5b535d89d275716aeab745e5a7cb0d Mon Sep 17 00:00:00 2001
From: Lars <lars@serlo.org>
Date: Mon, 23 Dec 2024 11:20:27 +0100
Subject: [PATCH 2/3] fix(plugin-edusharing): fix typo

---
 packages/editor/src/plugins/edusharing-asset/renderer.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/editor/src/plugins/edusharing-asset/renderer.tsx b/packages/editor/src/plugins/edusharing-asset/renderer.tsx
index 5d156c29d0..2d9a819cd2 100644
--- a/packages/editor/src/plugins/edusharing-asset/renderer.tsx
+++ b/packages/editor/src/plugins/edusharing-asset/renderer.tsx
@@ -87,7 +87,7 @@ export function EdusharingAssetRenderer(props: {
 
       const html = buildHtml(htmlSnippet, defineContainerHeight)
 
-      const sanatizedHtml = DOMPurify.sanitize(html, {
+      const sanitizedHtml = DOMPurify.sanitize(html, {
         // We allow <script> and <iframe> elements. Those are part of the html snippet we get from edu-sharing and cannot be removed or the embed will break. <script> elements cannot be manipulated by the user and we can trust them.
         ADD_TAGS: ['script', 'iframe'],
         // Return entire html document including <html>, <body>, ...
@@ -95,7 +95,7 @@ export function EdusharingAssetRenderer(props: {
       })
 
       setEmbedType(embedType)
-      setEmbedHtml(sanatizedHtml)
+      setEmbedHtml(sanitizedHtml)
       setDefineContainerHeight(defineContainerHeight)
     }
 

From 8eed625f015a7bbf22af1508e3fd3d3164d69220 Mon Sep 17 00:00:00 2001
From: Lars <lars@serlo.org>
Date: Mon, 23 Dec 2024 11:26:44 +0100
Subject: [PATCH 3/3] fix(plugin-edusharing): add `dompurify` to dependencies

---
 packages/editor/package.json | 1 +
 yarn.lock                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/packages/editor/package.json b/packages/editor/package.json
index a77ea331a6..8b054c4d38 100644
--- a/packages/editor/package.json
+++ b/packages/editor/package.json
@@ -50,6 +50,7 @@
     "@open-iframe-resizer/react": "1.2.1",
     "@serlo/katex-styles": "1.0.1",
     "@vidstack/react": "next",
+    "dompurify": "^3.2.3",
     "isomorphic-dompurify": "^2.19.0",
     "lit": "^3.2.1",
     "motion": "^11.11.17",
diff --git a/yarn.lock b/yarn.lock
index 7712aab187..763e227475 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5798,6 +5798,7 @@ __metadata:
     "@vitejs/plugin-react": ^4.3.3
     autoprefixer: ^10.4.20
     clsx: ^2.1.1
+    dompurify: ^3.2.3
     eslint: ^9.14.0
     eslint-config-next: ^15.0.3
     eslint-config-prettier: ^9.1.0