nvaccess · seanbudd · Jan 15, 2025 · Jan 5, 2025 · Jan 6, 2025 · Jan 15, 2025
@@ -21,13 +21,16 @@
 from comtypes import automation
 from comtypes import COMError
 from html import escape
+
+import nh3
 from logHandler import log
 import gui
 import speech
 import braille
 from config.configFlags import TetherTo
 import globalVars
 from typing import Optional
+from collections.abc import Callable
 
 from utils.security import isRunningOnSecureDesktop
 
@@ -135,6 +138,7 @@ def browseableMessage(
 	isHtml: bool = False,
 	closeButton: bool = False,
 	copyButton: bool = False,
+	sanitizeHtmlFunc: Callable[[str], str] = nh3.clean,
 ) -> None:
 	"""Present a message to the user that can be read in browse mode.
 	The message will be presented in an HTML document.
@@ -144,6 +148,10 @@ def browseableMessage(
 	:param isHtml: Whether the message is html, defaults to False.
 	:param closeButton: Whether to include a "close" button, defaults to False.
 	:param copyButton: Whether to include a "copy" (to clipboard) button, defaults to False.
+	:param sanitizeHtmlFunc: How to sanitize the html message, if isHtml is True.
+	Defaults to `nh3.clean` with default arguments.
+	Ensure to sanitize the html message if the source of it could be untrusted.
+	Any translatable string, or user generated content should be sanitized.
 	"""
 	if isRunningOnSecureDesktop():
 		_warnBrowsableMessageNotAvailableOnSecureScreens(title)
@@ -179,10 +187,11 @@ def browseableMessage(
 	d.add("title", title)
 
 	if not isHtml:
-		message = f"<pre>{escape(message)}</pre>"
+		messageSanitized = f"<pre>{escape(message)}</pre>"
 	else:
-		log.warning("Passing raw HTML to ui.browseableMessage!")
-	d.add("message", message)
+		log.debug("Sanitizing raw HTML before passing to ui.browseableMessage")
+		messageSanitized = sanitizeHtmlFunc(message)
+	d.add("message", messageSanitized)
 
 	# Translators: A notice to the user that a copy operation succeeded.
 	d.add("copySuccessfulAlertText", _("Text copied."))

@@ -169,6 +169,10 @@ As the NVDA update check URL is now configurable directly within NVDA, no replac
 * The following symbols have been removed with no replacement: `languageHandler.getLanguageCliArgs`, `__main__.quitGroup` and `__main__.installGroup` . (#17486, @CyrilleB79)
 * Prefix matching on command line flags, e.g. using `--di` for `--disable-addons` is no longer supported. (#11644, @CyrilleB79)
 * The `useAsFallBack` keyword argument of `bdDetect.DriverRegistrar` has been renamed to `useAsFallback`. (#17521, @LeonarddeR)
+* `ui.browseableMessage` now takes a parameter `sanitizeHtmlFunc`.
+This defaults to `nh3.clean` with default arguments.
+This means any HTML passed into `ui.browseableMessage` using `isHtml=True` is now sanitized by default.
+To change sanitization rules, such as whitelisting tags or attributes, create a function that calls `nh3.clean` with the desired parameters. (#16985)
 * `updateCheck.UpdateAskInstallDialog` no longer automatically performs an action when the update or postpone buttons are pressed.
 Instead, a `callback` property has been added, which returns a function that performs the appropriate action when called with the return value from the dialog. (#17582)
 * Dialogs opened with `gui.runScriptModalDialog` are now recognised as modal by NVDA. (#17582)