From 5063c70f5a4cdcb6ac1d5c22fb3da88d5cec54a1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 10 Dec 2024 17:39:45 +0000 Subject: [PATCH] Sanitize markdown when previewing report header/footer (#476) Signed-off-by: Joshua Li (cherry picked from commit 29735620663b4b96a68ebf8fd50699bcaefe9317) Signed-off-by: github-actions[bot] --- .../report_definitions/report_settings/report_settings.tsx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/public/components/report_definitions/report_settings/report_settings.tsx b/public/components/report_definitions/report_settings/report_settings.tsx index 9e185862..b4beedf0 100644 --- a/public/components/report_definitions/report_settings/report_settings.tsx +++ b/public/components/report_definitions/report_settings/report_settings.tsx @@ -3,6 +3,7 @@ * SPDX-License-Identifier: Apache-2.0 */ +import createDOMPurify from 'dompurify'; import React, { useEffect, useState } from 'react'; import { i18n } from '@osd/i18n'; import { @@ -340,6 +341,8 @@ export function ReportSettings(props: ReportSettingProps) { setCheckboxIdSelectHeaderFooter(newCheckboxIdToSelectedMap); }; + const DOMPurify = createDOMPurify(window); + const showFooter = checkboxIdSelectHeaderFooter.footer ? ( - Promise.resolve(converter.makeHtml(markdown)) + Promise.resolve(DOMPurify.sanitize(converter.makeHtml(markdown))) } /> @@ -380,7 +383,7 @@ export function ReportSettings(props: ReportSettingProps) { ['unordered-list', 'ordered-list', 'checked-list'], ]} generateMarkdownPreview={(markdown) => - Promise.resolve(converter.makeHtml(markdown)) + Promise.resolve(DOMPurify.sanitize(converter.makeHtml(markdown))) } />