🔒 Removed unused and insecure preview endpoint

refs: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg

- This was part of an experiment during the build phase of 4.0. We never ended up using it, but the endpoint wasn't cleaned up.
- The endpoint leaves sites open to a security vulnerability. Anyone running 4.x should update to 4.3.3

Credits: Paul Gerste, SonarSource (https://www.sonarsource.com/)

.gitignore

@@ -123,7 +123,6 @@ test/coverage
 # Built asset files
 /core/built
 /core/server/web/admin/views/*.html
-!/core/server/web/admin/views/preview.html
 /core/server/public/ghost.min.css
 
 # Caddyfile - for local development with ssl + caddy

core/server/web/admin/app.js

@@ -6,14 +6,11 @@ const constants = require('@tryghost/constants');
 const urlUtils = require('../../../shared/url-utils');
 const shared = require('../shared');
 const adminMiddleware = require('./middleware');
-const preview = require('./preview');
 
 module.exports = function setupAdminApp() {
     debug('Admin setup start');
     const adminApp = express('admin');
 
-    adminApp.use('/preview', preview);
-
     // Admin assets
     // @TODO ensure this gets a local 404 error handler
     const configMaxAge = config.get('caching:admin:maxAge');

core/server/web/admin/preview.js

@@ -1,15 +0,0 @@
-const path = require('path');
-const config = require('../../../shared/config');
-
-function servePreview(req, res, next) {
-    if (req.path === '/') {
-        const templatePath = path.resolve(config.get('paths').adminViews, 'preview.html');
-        return res.sendFile(templatePath);
-    }
-
-    next();
-}
-
-module.exports = [
-    servePreview
-];

core/server/web/admin/views/preview.html

@@ -1,53 +0,0 @@
-<script type="text/javascript" charset="utf-8">
-    (function(){
-        function onReceive(message) {
-            // If we're not using IE, or HTTPS we can use document.write
-            if ((window.location.protocol === 'http:') || !navigator.userAgent.match(/MSIE|rv:11/i)) {
-                document.write(message.data);
-                document.close();
-                return;
-            }
-
-            // In all other cases document.write() is blocked in callbacks - process the HTML instead
-            // We also have to individually add <script> tags back in - same as when using unsafeHTML in react
-            var domParser = new DOMParser();
-            var html = domParser.parseFromString(message.data, 'text/html');
-            document.getElementsByTagName('head')[0].innerHTML = html.getElementsByTagName('head')[0].innerHTML;
-            document.getElementsByTagName('body')[0].innerHTML = html.getElementsByTagName('body')[0].innerHTML;
-
-            var allScripts = document.getElementsByTagName('script');
-            if (allScripts.length > 0) {
-                var scripts = [];
-                for (var i = 0; i < allScripts.length; i++) {
-                    scripts.push(allScripts[i]);
-                }
-
-                for (var i = 0; i < scripts.length; i++) {
-                    var s = document.createElement('script');
-                    s.innerHTML = scripts[i].innerHTML;
-                    scripts[i].parentNode.appendChild(s);
-                    scripts[i].parentNode.removeChild(scripts[i]);
-                }
-            }
-        }
-
-        if (window.addEventListener){
-            addEventListener("message", onReceive, true);
-        } else {
-            attachEvent("onmessage", onReceive);
-        }
-
-        top.postMessage('loaded', "*");
-
-    })();
-
-    (function(XMLHttpRequest){
-        if (!XMLHttpRequest || !XMLHttpRequest.prototype) return;
-        var noXHR = function() {
-            if (console) {
-                console.error('Not Permitted');
-            }
-        };
-        XMLHttpRequest.prototype.open = XMLHttpRequest.prototype.send = noXHR;
-    })(this.XMLHttpRequest);
-    </script>