fix 235221: Passing the markdown content to the webview via meta tag and purifying it before use

Author: Parasaran-Python

extensions/markdown-language-features/preview-src/index.ts

@@ -353,6 +353,12 @@ document.addEventListener('click', event => {
 	}
 }, true);
 
+window.addEventListener('load', () => {
+	const htmlParser = new DOMParser();
+	const markDownHtml = htmlParser.parseFromString(getData('data-md-content'), 'text/html');
+	document.body.appendChild(markDownHtml.body);
+});
+
 window.addEventListener('scroll', throttle(() => {
 	updateScrollProgress();
 

extensions/markdown-language-features/src/preview/documentRenderer.ts

@@ -98,13 +98,13 @@ export class MdDocumentRenderer {
 				<meta id="vscode-markdown-preview-data"
 					data-settings="${escapeAttribute(JSON.stringify(initialData))}"
 					data-strings="${escapeAttribute(JSON.stringify(previewStrings))}"
-					data-state="${escapeAttribute(JSON.stringify(state || {}))}">
+					data-state="${escapeAttribute(JSON.stringify(state || {}))}"
+					data-md-content="${escapeAttribute(JSON.stringify(body.html))}">
 				<script src="${this._extensionResourcePath(resourceProvider, 'pre.js')}" nonce="${nonce}"></script>
 				${this._getStyles(resourceProvider, sourceUri, config, imageInfo)}
 				<base href="${resourceProvider.asWebviewUri(markdownDocument.uri)}">
 			</head>
 			<body class="vscode-body ${config.scrollBeyondLastLine ? 'scrollBeyondLastLine' : ''} ${config.wordWrap ? 'wordWrap' : ''} ${config.markEditorSelection ? 'showEditorSelection' : ''}">
-				${body.html}
 				${this._getScripts(resourceProvider, nonce)}
 			</body>
 			</html>`;