Remove DOMpurify and use XSS instead

TouK · Dec 10, 2024 · b86157d · b86157d
1 parent f3e9db5
commit b86157d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/designer/client/package.json b/designer/client/package.json
@@ -22,7 +22,6 @@
         "d3-transition": "3.0.1",
         "d3-zoom": "3.0.0",
         "dagre": "0.8.5",
-        "dompurify": "3.2.0",
         "event-from": "1.0.0",
         "file-saver": "2.0.5",
         "flattenizer": "1.1.1",

diff --git a/designer/client/src/components/graph/EspNode/stickyNote.ts b/designer/client/src/components/graph/EspNode/stickyNote.ts
@@ -5,7 +5,7 @@ import { StickyNote } from "../../../common/StickyNote";
 import { marked } from "marked";
 import { StickyNoteElement } from "../StickyNoteElement";
 import MarkupNodeJSON = dia.MarkupNodeJSON;
-import DOMPurify from "dompurify";
+import xss from "xss";
 
 export const STICKY_NOTE_CONSTRAINTS = {
     MIN_WIDTH: 100,
@@ -64,7 +64,7 @@ renderer.image = function (href, title, text) {
 const foreignObject = (stickyNote: StickyNote): MarkupNodeJSON => {
     let parsed;
     try {
-        parsed = DOMPurify.sanitize(marked.parse(stickyNote.content, { renderer }), { ADD_ATTR: ["target"] });
+        parsed = xss(marked.parse(stickyNote.content, { renderer }), { whiteList: { a: ["href", "title", "target", "class"] } });
     } catch (error) {
         console.error("Failed to parse markdown:", error);
         parsed = "Error: Could not parse content. See error logs in console";