fix: sanitize markdown preview on content change

requarks · May 1, 2020 · ec24ac2 · ec24ac2
1 parent b293147
commit ec24ac2
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/client/components/editor/editor-markdown.vue b/client/components/editor/editor-markdown.vue
@@ -184,6 +184,7 @@ import _ from 'lodash'
 import { get, sync } from 'vuex-pathify'
 import markdownHelp from './markdown/help.vue'
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'
 
 /* global siteConfig, siteLangs */
 
@@ -395,7 +396,7 @@ export default {
     onCmInput: _.debounce(function (newContent) {
       linesMap = []
       this.$store.set('editor/content', newContent)
-      this.previewHTML = md.render(newContent)
+      this.previewHTML = DOMPurify.sanitize(md.render(newContent))
       this.$nextTick(() => {
         this.renderMermaidDiagrams()
         Prism.highlightAllUnder(this.$refs.editorPreview)

diff --git a/package.json b/package.json
@@ -65,6 +65,7 @@
     "dependency-graph": "0.9.0",
     "diff": "4.0.2",
     "diff2html": "3.1.6",
+    "dompurify": "2.0.10",
     "dotize": "0.3.0",
     "elasticsearch6": "npm:@elastic/elasticsearch@6",
     "elasticsearch7": "npm:@elastic/elasticsearch@7",

diff --git a/yarn.lock b/yarn.lock
@@ -6265,6 +6265,11 @@ domhandler@^2.3.0:
   dependencies:
     domelementtype "1"
 
+dompurify@2.0.10:
+  version "2.0.10"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.10.tgz#d193f36d8148b4297a3a420b992d20eeff47a4d3"
+  integrity sha512-ok1dcSztsIuVxWG6Cx0ujyDIzNclz9W9OIU0cOb0IT+VAtSLrOelZF4miUvSm1U4PoCw8D7sIOLCnCQOaVpr3w==
+
 domutils@1.5.1:
   version "1.5.1"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf"