html sanitization to avoid XSS
This commit is contained in:
parent
c89ecb8fb2
commit
23a5fb342f
|
|
@ -341,6 +341,9 @@ def generate_export_html(
|
||||||
<!-- Marked.js for markdown parsing -->
|
<!-- Marked.js for markdown parsing -->
|
||||||
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.0/marked.min.js"></script>
|
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.0/marked.min.js"></script>
|
||||||
|
|
||||||
|
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
|
||||||
|
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
|
||||||
|
|
||||||
<!-- MathJax for LaTeX math rendering -->
|
<!-- MathJax for LaTeX math rendering -->
|
||||||
<script>
|
<script>
|
||||||
MathJax = {{
|
MathJax = {{
|
||||||
|
|
@ -682,8 +685,11 @@ def generate_export_html(
|
||||||
// Raw markdown content
|
// Raw markdown content
|
||||||
const markdown = `{escaped_content}`;
|
const markdown = `{escaped_content}`;
|
||||||
|
|
||||||
// Render markdown
|
// Render markdown with XSS sanitization
|
||||||
document.getElementById('content').innerHTML = marked.parse(markdown);
|
// DOMPurify strips scripts, iframes, and event handlers while allowing safe HTML/SVG
|
||||||
|
const rawHtml = marked.parse(markdown);
|
||||||
|
const safeHtml = DOMPurify.sanitize(rawHtml);
|
||||||
|
document.getElementById('content').innerHTML = safeHtml;
|
||||||
|
|
||||||
// Add copy buttons to code blocks
|
// Add copy buttons to code blocks
|
||||||
document.querySelectorAll('.markdown-preview pre').forEach(pre => {{
|
document.querySelectorAll('.markdown-preview pre').forEach(pre => {{
|
||||||
|
|
|
||||||
|
|
@ -4145,6 +4145,11 @@ function noteApp() {
|
||||||
// Parse markdown
|
// Parse markdown
|
||||||
let html = marked.parse(contentToRender);
|
let html = marked.parse(contentToRender);
|
||||||
|
|
||||||
|
// Sanitize HTML to prevent XSS attacks
|
||||||
|
// DOMPurify defaults allow most HTML/SVG tags but strip scripts, iframes, and event handlers
|
||||||
|
// MathJax and Mermaid run AFTER this, so their elements don't need whitelisting
|
||||||
|
html = DOMPurify.sanitize(html);
|
||||||
|
|
||||||
// Post-process: Add target="_blank" to external links and title attributes to images
|
// Post-process: Add target="_blank" to external links and title attributes to images
|
||||||
// Parse as DOM to safely manipulate
|
// Parse as DOM to safely manipulate
|
||||||
const tempDiv = document.createElement('div');
|
const tempDiv = document.createElement('div');
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,9 @@
|
||||||
<!-- Marked.js for Markdown parsing (v12.0.2) -->
|
<!-- Marked.js for Markdown parsing (v12.0.2) -->
|
||||||
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js"></script>
|
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js"></script>
|
||||||
|
|
||||||
|
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
|
||||||
|
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
|
||||||
|
|
||||||
<!-- MathJax for LaTeX math rendering -->
|
<!-- MathJax for LaTeX math rendering -->
|
||||||
<script>
|
<script>
|
||||||
MathJax = {
|
MathJax = {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue