html sanitization to avoid XSS
This commit is contained in:
parent
c89ecb8fb2
commit
23a5fb342f
|
|
@ -341,6 +341,9 @@ def generate_export_html(
|
|||
<!-- Marked.js for markdown parsing -->
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.0/marked.min.js"></script>
|
||||
|
||||
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
|
||||
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
|
||||
|
||||
<!-- MathJax for LaTeX math rendering -->
|
||||
<script>
|
||||
MathJax = {{
|
||||
|
|
@ -682,8 +685,11 @@ def generate_export_html(
|
|||
// Raw markdown content
|
||||
const markdown = `{escaped_content}`;
|
||||
|
||||
// Render markdown
|
||||
document.getElementById('content').innerHTML = marked.parse(markdown);
|
||||
// Render markdown with XSS sanitization
|
||||
// DOMPurify strips scripts, iframes, and event handlers while allowing safe HTML/SVG
|
||||
const rawHtml = marked.parse(markdown);
|
||||
const safeHtml = DOMPurify.sanitize(rawHtml);
|
||||
document.getElementById('content').innerHTML = safeHtml;
|
||||
|
||||
// Add copy buttons to code blocks
|
||||
document.querySelectorAll('.markdown-preview pre').forEach(pre => {{
|
||||
|
|
|
|||
|
|
@ -4145,6 +4145,11 @@ function noteApp() {
|
|||
// Parse markdown
|
||||
let html = marked.parse(contentToRender);
|
||||
|
||||
// Sanitize HTML to prevent XSS attacks
|
||||
// DOMPurify defaults allow most HTML/SVG tags but strip scripts, iframes, and event handlers
|
||||
// MathJax and Mermaid run AFTER this, so their elements don't need whitelisting
|
||||
html = DOMPurify.sanitize(html);
|
||||
|
||||
// Post-process: Add target="_blank" to external links and title attributes to images
|
||||
// Parse as DOM to safely manipulate
|
||||
const tempDiv = document.createElement('div');
|
||||
|
|
|
|||
|
|
@ -63,6 +63,9 @@
|
|||
<!-- Marked.js for Markdown parsing (v12.0.2) -->
|
||||
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js"></script>
|
||||
|
||||
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
|
||||
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
|
||||
|
||||
<!-- MathJax for LaTeX math rendering -->
|
||||
<script>
|
||||
MathJax = {
|
||||
|
|
|
|||
Loading…
Reference in New Issue