feat: add rehype-sanitize to protect markdown html from xss

2 months ago · 0e17991d4f
parent 8e593f7200
commit 0e17991d4f
3 changed files with 42 additions and 7 deletions
--- a/client/web/package.json
+++ b/client/web/package.json
@ -72,6 +72,7 @@
    "react-virtualized-auto-sizer": "^1.0.7",
    "react-virtuoso": "^4.4.0",
    "rehype-raw": "^6.1.1",
+    "rehype-sanitize": "^6.0.0",
    "remark-gfm": "^3.0.1",
    "socket.io-client": "^4.6.1",
    "source-ref-runtime": "^1.0.7",
--- a/client/web/src/components/Markdown/render.tsx
+++ b/client/web/src/components/Markdown/render.tsx
@ -4,8 +4,8 @@ import { isValidStr, parseUrlStr, useTranslation } from 'tailchat-shared';
 import { Loadable } from '../Loadable';
 import { Image } from 'tailchat-design';
 import remarkGfm from 'remark-gfm';
-// import rehypeRaw from 'rehype-raw';
-// import rehypeSanitize from 'rehype-sanitize';
+import rehypeRaw from 'rehype-raw';
+import rehypeSanitize from 'rehype-sanitize';
 import './render.less';

 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
@ -82,7 +82,7 @@ export const Markdown: React.FC<{
      transformImageUri={(src) => transformUrl(src)}
      transformLinkUri={(href) => transformUrl(href)}
      remarkPlugins={[remarkGfm]}
-      // rehypePlugins={[rehypeRaw, rehypeSanitize]}
+      rehypePlugins={[rehypeRaw, rehypeSanitize]}
      linkTarget="_blank"
      skipHtml={true}
      components={components}
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -755,6 +755,9 @@ importers:
      rehype-raw:
        specifier: ^6.1.1
        version: 6.1.1
+      rehype-sanitize:
+        specifier: ^6.0.0
+        version: 6.0.0
      remark-gfm:
        specifier: ^3.0.1
        version: 3.0.1
@ -12245,6 +12248,12 @@ packages:
    dependencies:
      '@types/unist': 3.0.0

+  /@types/hast@3.0.4:
+    resolution: {integrity: sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==}
+    dependencies:
+      '@types/unist': 3.0.0
+    dev: false
+
  /@types/history@4.7.11:
    resolution: {integrity: sha512-qjDJRrmvBMiTx+jyLxvLfJU7UznFuokDv4f3WRuriHKERccVpFU+8XMQUAbDzoiJCsmexxRExQeMwwCdamSKDA==}

@ -13146,6 +13155,10 @@ packages:
      eslint-visitor-keys: 3.3.0
    dev: true

+  /@ungap/structured-clone@1.2.1:
+    resolution: {integrity: sha512-fEzPV3hSkSMltkw152tJKNARhOupqbH96MZWyRjNaYZOMIzbrTeQDG+MTc6Mr2pgzFQzFxAfmhGDNP5QK++2ZA==}
+    dev: false
+
  /@use-gesture/core@10.2.24:
    resolution: {integrity: sha512-ZL7F9mgOn3Qlnp6QLI9jaOfcvqrx6JPE/BkdVSd8imveaFTm/a3udoO6f5Us/1XtqnL4347PsIiK6AtCvMHk2Q==}
    dev: false
@ -19273,7 +19286,7 @@ packages:
    dependencies:
      loader-utils: 2.0.4
      schema-utils: 3.1.1
-      webpack: 5.75.0(esbuild@0.15.18)
+      webpack: 5.75.0(esbuild@0.12.29)(webpack-cli@4.10.0)

  /file-system-cache@1.1.0:
    resolution: {integrity: sha512-IzF5MBq+5CR0jXx5RxPe4BICl/oEhBSXKaL9fLhAXrIfIUS77Hr4vzrYyqYMHN6uTt+BOqi3fDCTjjEBCjERKw==}
@ -20548,6 +20561,14 @@ packages:
      '@types/hast': 2.3.4
    dev: false

+  /hast-util-sanitize@5.0.2:
+    resolution: {integrity: sha512-3yTWghByc50aGS7JlGhk61SPenfE/p1oaFeNwkOOyrscaOkMGrcW9+Cy/QAIOBpZxP1yqDIzFMR0+Np0i0+usg==}
+    dependencies:
+      '@types/hast': 3.0.4
+      '@ungap/structured-clone': 1.2.1
+      unist-util-position: 5.0.0
+    dev: false
+
  /hast-util-to-html@8.0.4:
    resolution: {integrity: sha512-4tpQTUOr9BMjtYyNlt0P50mH7xj0Ks2xpo8M943Vykljf99HW6EzulIoJP1N3eKOSScEHzyzi9dm7/cn0RfGwA==}
    dependencies:
@ -23224,7 +23245,7 @@ packages:
    dependencies:
      klona: 2.0.6
      less: 4.1.3
-      webpack: 5.75.0(esbuild@0.15.18)
+      webpack: 5.75.0(esbuild@0.12.29)(webpack-cli@4.10.0)

  /less@3.13.1:
    resolution: {integrity: sha512-SwA1aQXGUvp+P5XdZslUOhhLnClSLIjWvJhmd+Vgib5BFIr9lMNlQwmwUNOjXThF/A0x+MCYYPeWEfeWiLRnTw==}
@ -30055,6 +30076,13 @@ packages:
      unified: 10.1.2
    dev: false

+  /rehype-sanitize@6.0.0:
+    resolution: {integrity: sha512-CsnhKNsyI8Tub6L4sm5ZFsme4puGfc6pYylvXo1AeqaGbjOYyzNv3qZPwvs0oMJ39eryyeOdmxwUIo94IpEhqg==}
+    dependencies:
+      '@types/hast': 3.0.4
+      hast-util-sanitize: 5.0.2
+    dev: false
+
  /rehype-stringify@9.0.3:
    resolution: {integrity: sha512-kWiZ1bgyWlgOxpqD5HnxShKAdXtb2IUljn3hQAhySeak6IOQPPt6DeGnsIh4ixm7yKJWzm8TXFuC/lPfcWHJqw==}
    dependencies:
@ -33698,6 +33726,12 @@ packages:
      '@types/unist': 2.0.6
    dev: false

+  /unist-util-position@5.0.0:
+    resolution: {integrity: sha512-fucsC7HjXvkB5R3kTCO7kUjRdrS0BJt3M/FPxmHMBOm8JQi2BsHAHFsy27E0EolP8rp0NzXsJ+jNPyDWvOJZPA==}
+    dependencies:
+      '@types/unist': 3.0.0
+    dev: false
+
  /unist-util-remove-position@2.0.1:
    resolution: {integrity: sha512-fDZsLYIe2uT+oGFnuZmy73K6ZxOPG/Qcm+w7jbEjaFcJgbQ6cqjs/eSPzXhsmGpAsWPkqZM9pYjww5QTn3LHMA==}
    dependencies:
@ -33938,7 +33972,7 @@ packages:
      loader-utils: 2.0.4
      mime-types: 2.1.35
      schema-utils: 3.1.1
-      webpack: 5.75.0(esbuild@0.15.18)
+      webpack: 5.75.0(esbuild@0.12.29)(webpack-cli@4.10.0)

  /url-parse@1.5.10:
    resolution: {integrity: sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==}
@ -34597,7 +34631,7 @@ packages:
      mime-types: 2.1.35
      range-parser: 1.2.1
      schema-utils: 4.0.0
-      webpack: 5.75.0(esbuild@0.15.18)
+      webpack: 5.75.0(esbuild@0.12.29)(webpack-cli@4.10.0)

  /webpack-dev-server@4.11.1(webpack-cli@4.10.0)(webpack@5.75.0):
    resolution: {integrity: sha512-lILVz9tAUy1zGFwieuaQtYiadImb5M3d+H+L1zDYalYoDl0cksAB1UNyuE5MMWJrG6zR1tXkCP2fitl7yoUJiw==}