github/drone
5
0
Fork 0
mirror of https://github.com/harness/drone.git synced 2025-05-21 11:29:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix XSS issue against markdown editor / viewer (#2041)

Browse Source
This commit is contained in:
Tan Nhu 2024-05-15 16:32:34 +00:00 committed by Harness
parent 8049651963
commit 49f3bf151e
3 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
web/package.json
View File

@ -86,6 +86,7 @@
"react-table": "^7.1.0",
"react-timeago": "^4.4.0",
"rehype-external-links": "^2.0.1",
"rehype-sanitize": "^6.0.0",
"rehype-video": "^1.2.2",
"restful-react": "15.6.0",
"selecto": "^1.26.3",

4
web/src/components/MarkdownViewer/MarkdownViewer.tsx
View File

@ -16,6 +16,7 @@
import { useHistory } from 'react-router-dom'
import { Container, Utils } from '@harnessio/uicore'
import rehypeSanitize from 'rehype-sanitize'
import React, { useCallback, useEffect, useMemo, useRef, useState } from 'react'
import { isEmpty } from 'lodash-es'
import cx from 'classnames'
@ -145,7 +146,7 @@ export function MarkdownViewer({
<MarkdownPreview
key={flag ? hash : 0}
source={markdown}
skipHtml={true}
skipHtml={false}
warpperElement={{ 'data-color-mode': darkMode ? 'dark' : 'light' }}
rehypeRewrite={(node, _index, parent) => {
if ((node as unknown as HTMLDivElement).tagName === 'a') {
@ -206,6 +207,7 @@ export function MarkdownViewer({
}
}}
rehypePlugins={[
[rehypeSanitize],
[rehypeVideo, { test: /\/(.*)(.mp4|.mov|.webm|.mkv|.flv)$/, details: null }],
[rehypeExternalLinks, { rel: ['nofollow noreferrer noopener'], target: '_blank' }]
]}

19
web/yarn.lock
View File

@ -3162,7 +3162,7 @@
remark-gfm "~3.0.1"
unist-util-visit "^4.1.0"
"@ungap/structured-clone@^1.0.0":
"@ungap/structured-clone@^1.0.0", "@ungap/structured-clone@^1.2.0":
version "1.2.0"
resolved "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz#756641adb587851b5ccb3e095daf27ae581c8406"
integrity sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==
@ -6651,6 +6651,15 @@ hast-util-raw@^9.0.0:
web-namespaces "^2.0.0"
zwitch "^2.0.0"
hast-util-sanitize@^5.0.0:
version "5.0.1"
resolved "https://registry.npmjs.org/hast-util-sanitize/-/hast-util-sanitize-5.0.1.tgz#8e90068cd68e651c569960b77a1b25076579b4cf"
integrity sha512-IGrgWLuip4O2nq5CugXy4GI2V8kx4sFVy5Hd4vF7AR2gxS0N9s7nEAVUyeMtZKZvzrxVsHt73XdTsno1tClIkQ==
dependencies:
"@types/hast" "^3.0.0"
"@ungap/structured-clone" "^1.2.0"
unist-util-position "^5.0.0"
hast-util-select@^5.0.5, hast-util-select@~5.0.1:
version "5.0.5"
resolved "https://registry.yarnpkg.com/hast-util-select/-/hast-util-select-5.0.5.tgz#be9ccb71d2278681ca024727f12abd4f93b3e9bc"
@ -10837,6 +10846,14 @@ rehype-rewrite@~3.0.6:
unified "~10.1.1"
unist-util-visit "~4.1.0"
rehype-sanitize@^6.0.0:
version "6.0.0"
resolved "https://registry.npmjs.org/rehype-sanitize/-/rehype-sanitize-6.0.0.tgz#16e95f4a67a69cbf0f79e113c8e0df48203db73c"
integrity sha512-CsnhKNsyI8Tub6L4sm5ZFsme4puGfc6pYylvXo1AeqaGbjOYyzNv3qZPwvs0oMJ39eryyeOdmxwUIo94IpEhqg==
dependencies:
"@types/hast" "^3.0.0"
hast-util-sanitize "^5.0.0"
rehype-slug@~5.1.0:
version "5.1.0"
resolved "https://registry.yarnpkg.com/rehype-slug/-/rehype-slug-5.1.0.tgz#1f7e69be7ea1a2067bcc4cfe58e74c881d5c047e"