Sanitize browseableMessage html

[seanbudd]

Link to issue number:

Fixes #16985

Summary of the issue:

ui.browsableMessage can inject unsanitized HTML into NVDA.
This is an issue if translations are passed in as unsanitized HTML.
Translations are fairly unregulated, translation strings are the only "code" included in NVDA without a direct review from NV Access or as a review as a dependency. If NVDA translations can perform RCE, we have a problem.
Considering no NVDA source code uses the isHtml functionality of this function currently, this isn't an active vector.
However, if we ever start using isHtml, it becomes an active vector, which is something we want to avoid and prevent from becoming a possibility.

Description of user facing changes

HTML is now sanitised for browseableMessages. This will only affect add-ons. It may cause some add-ons to lose formatting in browseableMessages that use HTML. To restore certain formatting, authors can update the whitelisting by calling nh3.clean with their own desired parameters.

Description of development approach

Added a sanitization function to browseableMessage.

Testing strategy:

• Tested from console by calling ui.browseableMessage

import ui
import nh3
clean = lambda x: nh3.clean(x, tags={"i"})
ui.browseableMessage("<b><i>test</i></b>", "title example", isHtml=True, sanitizeHtmlFunc=clean)

Confirm only italic formatting is shown.

Known issues with pull request:

None

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• API is compatible with existing add-ons.
• Security precautions taken.

@coderabbitai summary

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: License check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/hqifb2lo366y6b40/artifacts/output/nvda_snapshot_pr17581-34902,2d1a3341.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 1.3,
  INSTALL_END 1.0,
  BUILD_START 0.0,
  BUILD_END 24.3,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.4,
  TEST_START 0.0,
  TEST_END 18.5,
  FINISH_END 0.2

See test results for failed build of commit 2d1a334176

[SaschaCowley]

Just a few nitpicky suggestions

[SaschaCowley]

Do changes need to be made to bundle nh3 with NVDA, or will it automatically be included because it has been imported in source/?

[seanbudd]

It should be automatically included - this is proven when running the installer. However, it won't import everything, only what is needed like other dependencies