Merge pull request #368 from SolidOS/sanitize

sanitize markdown
SolidOS · Mar 9, 2023 · 282a8fe · 282a8fe
2 parents 974f830 + 39483f7
commit 282a8fe
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,6 +49,7 @@
     "activitystreams-pane": "0.6.10",
     "chat-pane": "2.4.22",
     "contacts-pane": "^2.6.9",
+    "dompurify": "^3.0.1",
     "folder-pane": "^2.4.24",
     "issue-pane": "2.4.16",
     "marked": "^4.2.12",

diff --git a/src/humanReadablePane.js b/src/humanReadablePane.js
@@ -6,6 +6,7 @@
 import { icons, ns } from 'solid-ui'
 import { Util } from 'rdflib'
 import { marked } from 'marked'
+import * as DOMPurify from 'dompurify'
 
 const humanReadablePane = {
   icon: icons.originalIconBase + 'tango/22-text-x-generic.png',
@@ -76,7 +77,7 @@ const humanReadablePane = {
     const cts = kb.fetcher.getHeader(subject.doc(), 'content-type')
     const ct = cts ? cts[0] : null
     if (ct) {
-      console.log('humanReadablePane: c-t:' + ct)
+      // console.log('humanReadablePane: c-t:' + ct)
     } else {
       console.log('humanReadablePane: unknown content-type?')
     }
@@ -92,7 +93,8 @@ const humanReadablePane = {
         const markdownText = response.responseText
         const lines = Math.min(30, markdownText.split(/\n/).length + 5)
         const res = marked.parse(markdownText)
-        frame.innerHTML = res
+        const clean = DOMPurify.sanitize(res)
+        frame.innerHTML = clean
         frame.setAttribute('class', 'doc')
         frame.setAttribute('style', `border: 1px solid; padding: 1em; height: ${lines}em; width: 800px; resize: both; overflow: auto;`)
       })