fix: sanitize markdown preview on content change

client/components/editor/editor-markdown.vue

@@ -184,6 +184,7 @@ import _ from 'lodash'
 import { get, sync } from 'vuex-pathify'
 import markdownHelp from './markdown/help.vue'
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'
 
 /* global siteConfig, siteLangs */
 
@@ -395,7 +396,7 @@ export default {
     onCmInput: _.debounce(function (newContent) {
       linesMap = []
       this.$store.set('editor/content', newContent)
-      this.previewHTML = md.render(newContent)
+      this.previewHTML = DOMPurify.sanitize(md.render(newContent))
       this.$nextTick(() => {
         this.renderMermaidDiagrams()
         Prism.highlightAllUnder(this.$refs.editorPreview)

package.json

@@ -65,6 +65,7 @@
     "dependency-graph": "0.9.0",
     "diff": "4.0.2",
     "diff2html": "3.1.6",
+    "dompurify": "2.0.10",
     "dotize": "0.3.0",
     "elasticsearch6": "npm:@elastic/elasticsearch@6",
     "elasticsearch7": "npm:@elastic/elasticsearch@7",