mirror of
https://github.com/microsoft/PowerToys.git
synced 2026-02-23 19:49:43 +01:00
876130c3cd
<!-- Enter a brief description/summary of your PR here. What does it fix/what does it change/how was it tested (even manually, if necessary)? --> ## Summary of the Pull Request In PR #44456, we disabled scripts and HTML, but we still want to allow HTML rendering. This pull request introduces significant security improvements and UI enhancements to the file previewer, focusing on safe rendering of files and better user communication when opening external links. The main changes include strict resource filtering to prevent external content loading (and potential XSS attacks), a more informative dialog when opening external URIs, and improved logic for determining how different file types are previewed. **Security enhancements:** * Added strict resource filtering for non-dev file previews in `BrowserControl` to block external HTTP/S requests and limit local file access to the same directory and subdirectories, preventing XSS and unwanted external content loading. * Set the `WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS` environment variable to block new web contents for extra security. * Removed disabling of HTML rendering in the Markdown pipeline to allow safe local rendering (now protected by resource filtering). **File preview logic improvements:** * Refactored previewer logic to prioritize file type handling: Markdown, SVG, HTML/HTM, Monaco-supported source code, and fallback types, ensuring correct preview strategy and context menu behavior for each type. * Resource filtering is dynamically applied or removed based on whether the file is a dev/source code file (Monaco editor) or not, ensuring compatibility and security. **User interface enhancements:** * Updated the open URI dialog to include a warning banner and improved messaging, informing users about the risks of opening external links. <img width="1174" height="336" alt="image" src="https://github.com/user-attachments/assets/db6b2a11-c972-473a-a1bc-a24f3244f18f" /> <!-- Please review the items on the PR checklist before submitting--> ## PR Checklist - [x] Closes: #44600 <!-- - [ ] Closes: #yyy (add separate lines for additional resolved issues) --> - [ ] **Communication:** I've discussed this with core contributors already. If the work hasn't been agreed, this work might be rejected - [ ] **Tests:** Added/updated and all pass - [ ] **Localization:** All end-user-facing strings can be localized - [ ] **Dev docs:** Added/updated - [ ] **New binaries:** Added on the required places - [ ] [JSON for signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json) for new binaries - [ ] [WXS for installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs) for new binaries and localization folder - [ ] [YML for CI pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml) for new test projects - [ ] [YML for signed pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml) - [ ] **Documentation updated:** If checked, please file a pull request on [our docs repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys) and link it here: #xxx <!-- Provide a more detailed description of the PR, other things fixed, or any additional comments/features here --> ## Detailed Description of the Pull Request / Additional comments <!-- Describe how you validated the behavior. Add automated tests wherever possible, but list manual validation steps taken as well --> ## Validation Steps Performed use this file for testing [test-xss-vulnerability.md](https://github.com/user-attachments/files/24486900/test-xss-vulnerability.md) <img width="1547" height="1257" alt="image" src="https://github.com/user-attachments/assets/2047007c-1ee1-487c-96aa-30e82ac63f18" />