fix: sanitize markdown preview on content change

2020-05-01 00:55:31 -04:00 · 2020-05-01 00:55:31 -04:00 · 05e8a71cef
commit 05e8a71cef
parent fd91565e61
3 changed files with 8 additions and 1 deletions
--- a/client/components/editor/editor-markdown.vue
+++ b/client/components/editor/editor-markdown.vue
@ -184,6 +184,7 @@ import _ from 'lodash'
 import { get, sync } from 'vuex-pathify'
 import markdownHelp from './markdown/help.vue'
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'

 /* global siteConfig, siteLangs */

@ -395,7 +396,7 @@ export default {
    onCmInput: _.debounce(function (newContent) {
      linesMap = []
      this.$store.set('editor/content', newContent)
-      this.previewHTML = md.render(newContent)
+      this.previewHTML = DOMPurify.sanitize(md.render(newContent))
      this.$nextTick(() => {
        this.renderMermaidDiagrams()
        Prism.highlightAllUnder(this.$refs.editorPreview)
--- a/package.json
+++ b/package.json
@ -65,6 +65,7 @@
    "dependency-graph": "0.9.0",
    "diff": "4.0.2",
    "diff2html": "3.1.6",
+    "dompurify": "2.0.10",
    "dotize": "0.3.0",
    "elasticsearch6": "npm:@elastic/elasticsearch@6",
    "elasticsearch7": "npm:@elastic/elasticsearch@7",
--- a/yarn.lock
+++ b/yarn.lock
@ -6261,6 +6261,11 @@ domhandler@^2.3.0:
  dependencies:
    domelementtype "1"

+dompurify@2.0.10:
+  version "2.0.10"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.0.10.tgz#d193f36d8148b4297a3a420b992d20eeff47a4d3"
+  integrity sha512-ok1dcSztsIuVxWG6Cx0ujyDIzNclz9W9OIU0cOb0IT+VAtSLrOelZF4miUvSm1U4PoCw8D7sIOLCnCQOaVpr3w==
+
 domutils@1.5.1:
  version "1.5.1"
  resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf"