PrismJS is outdated and prone to DOM XSS

[BradHolmes]

A checkmarx scan of our docsy-themed documentation turned up a reported Client DOM XSS vulnerability in static/js/prims.js. It reports:

The application's o embeds untrusted data in the generated output with element, at line 120 of .../static/js/prism.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

The problematic 'o' method:

function o(e) {
    l.highlightedCode =  e, M.hooks.run("before-insert", l), l.element.innerHTML = l.highlightedCode, M.hooks.run("after-highlight", l), M.hooks.run("complete", l), t && t.call(l.element)

I see that static/js/prism.js appears to be a hard-coded copy of approximately v1.21.0 of primsjs. But it isn't clear where exactly it came from. Should it be pulled in dynamically as an npm dependency? Or alternatively, a small change is made to static/js/prims.js to sanitize e before inserting it into the DOM?

[LisaFC]

@chalin what do you think?

[chalin]

Thanks @BradHolmes for reporting this. Yes we should fix this. I'd vote for switching over to using a CDN. Any objections @LisaFC?

[LisaFC]

No objections here!

[emckean]

+1 for CDN

[BradHolmes]

Is there anything I can do to help make this switch to CDN?

[chalin]

Looking into this a bit more, and reading about how Docsy provides Prism support, I'd like to suggest that we simply update the Prism JS and CSS files to the current version (1.28.0 atm).