From ec24ac27fe1f487989051a935ed1337aaa6bc215 Mon Sep 17 00:00:00 2001 From: NGPixel Date: Fri, 1 May 2020 00:55:31 -0400 Subject: [PATCH] fix: sanitize markdown preview on content change --- client/components/editor/editor-markdown.vue | 3 ++- package.json | 1 + yarn.lock | 5 +++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/client/components/editor/editor-markdown.vue b/client/components/editor/editor-markdown.vue index cda89bbc69..4385e2bd0e 100644 --- a/client/components/editor/editor-markdown.vue +++ b/client/components/editor/editor-markdown.vue @@ -184,6 +184,7 @@ import _ from 'lodash' import { get, sync } from 'vuex-pathify' import markdownHelp from './markdown/help.vue' import gql from 'graphql-tag' +import DOMPurify from 'dompurify' /* global siteConfig, siteLangs */ @@ -395,7 +396,7 @@ export default { onCmInput: _.debounce(function (newContent) { linesMap = [] this.$store.set('editor/content', newContent) - this.previewHTML = md.render(newContent) + this.previewHTML = DOMPurify.sanitize(md.render(newContent)) this.$nextTick(() => { this.renderMermaidDiagrams() Prism.highlightAllUnder(this.$refs.editorPreview) diff --git a/package.json b/package.json index 9b5ca6df5d..458bc299aa 100644 --- a/package.json +++ b/package.json @@ -65,6 +65,7 @@ "dependency-graph": "0.9.0", "diff": "4.0.2", "diff2html": "3.1.6", + "dompurify": "2.0.10", "dotize": "0.3.0", "elasticsearch6": "npm:@elastic/elasticsearch@6", "elasticsearch7": "npm:@elastic/elasticsearch@7", diff --git a/yarn.lock b/yarn.lock index 431618baa5..fb77247faf 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6265,6 +6265,11 @@ domhandler@^2.3.0: dependencies: domelementtype "1" +dompurify@2.0.10: + version "2.0.10" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.10.tgz#d193f36d8148b4297a3a420b992d20eeff47a4d3" + integrity sha512-ok1dcSztsIuVxWG6Cx0ujyDIzNclz9W9OIU0cOb0IT+VAtSLrOelZF4miUvSm1U4PoCw8D7sIOLCnCQOaVpr3w== + domutils@1.5.1: version "1.5.1" resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf"