CalvinBackup/anonymous_github
1
0
Fork 0
mirror of https://github.com/tdurieux/anonymous_github.git synced 2026-06-06 07:33:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sanitize markdown HTML output with DOMPurify to prevent XSS (#658)

Browse Source
This commit is contained in:
Thomas Durieux
2026-04-15 04:22:38 +02:00
committed by GitHub
parent b2d77faa6c
commit 812f8b6314
6 changed files with 1299 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/server/routes/webview.ts
+2 -1
View File
@@ -4,6 +4,7 @@ import * as path from "path";
import AnonymizedFile from "../../core/AnonymizedFile";
import AnonymousError from "../../core/AnonymousError";
import * as marked from "marked";
import DOMPurify from "isomorphic-dompurify";
import { streamToString } from "../../core/anonymize-utils";
import { IFile } from "../../core/model/files/files.types";
@@ -113,7 +114,7 @@ async function webView(req: express.Request, res: express.Response) {
}
if (f.extension() == "md") {
const content = await streamToString(await f.anonymizedContent());
const body = marked.marked(content, { headerIds: false, mangle: false });
const body = DOMPurify.sanitize(marked.marked(content, { headerIds: false, mangle: false }));
const html = `<!DOCTYPE html><html><head><title>Content</title></head><link rel="stylesheet" href="/css/all.min.css" /><body><div class="container p-3 file-content markdown-body">${body}<div></body></html>`;
res.contentType("text/html").send(html);
} else {