Merge pull request #179 from gamosoft/features/xss

html sanitization to avoid XSS
This commit is contained in:
Guillermo Villar 2026-03-03 09:27:32 +01:00 committed by GitHub
commit 41b183824d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 16 additions and 2 deletions

View File

@ -341,6 +341,9 @@ def generate_export_html(
<!-- Marked.js for markdown parsing -->
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.0/marked.min.js"></script>
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
<!-- MathJax for LaTeX math rendering -->
<script>
MathJax = {{
@ -682,8 +685,11 @@ def generate_export_html(
// Raw markdown content
const markdown = `{escaped_content}`;
// Render markdown
document.getElementById('content').innerHTML = marked.parse(markdown);
// Render markdown with XSS sanitization
// DOMPurify strips scripts, iframes, and event handlers while allowing safe HTML/SVG
const rawHtml = marked.parse(markdown);
const safeHtml = DOMPurify.sanitize(rawHtml);
document.getElementById('content').innerHTML = safeHtml;
// Add copy buttons to code blocks
document.querySelectorAll('.markdown-preview pre').forEach(pre => {{

View File

@ -4145,6 +4145,11 @@ function noteApp() {
// Parse markdown
let html = marked.parse(contentToRender);
// Sanitize HTML to prevent XSS attacks
// DOMPurify defaults allow most HTML/SVG tags but strip scripts, iframes, and event handlers
// MathJax and Mermaid run AFTER this, so their elements don't need whitelisting
html = DOMPurify.sanitize(html);
// Post-process: Add target="_blank" to external links and title attributes to images
// Parse as DOM to safely manipulate
const tempDiv = document.createElement('div');

View File

@ -63,6 +63,9 @@
<!-- Marked.js for Markdown parsing (v12.0.2) -->
<script src="https://cdn.jsdelivr.net/npm/marked@12.0.2/marked.min.js"></script>
<!-- DOMPurify for HTML sanitization (XSS prevention) -->
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
<!-- MathJax for LaTeX math rendering -->
<script>
MathJax = {