fix: sanitize markdown preview on content change

ec24ac27 · NGPixel · b2931471 · ec24ac27 · ec24ac27 · ec24ac27
Commit ec24ac27 authored May 01, 2020 by NGPixel
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

editor-markdown.vue client/components/editor/editor-markdown.vue +2 -1

package.json package.json +1 -0

yarn.lock yarn.lock +0 -0

No files found.
--- a/client/components/editor/editor-markdown.vue
+++ b/client/components/editor/editor-markdown.vue
@@ -184,6 +184,7 @@ import _ from 'lodash'
 import { get, sync } from 'vuex-pathify'
 import markdownHelp from './markdown/help.vue'
 import gql from 'graphql-tag'
+import DOMPurify from 'dompurify'
 /* global siteConfig, siteLangs */
@@ -395,7 +396,7 @@ export default {
    onCmInput: _.debounce(function (newContent) {
      linesMap = []
      this.$store.set('editor/content', newContent)
-      this.previewHTML = md.render(newContent)
+      this.previewHTML = DOMPurify.sanitize(md.render(newContent))
      this.$nextTick(() => {
        this.renderMermaidDiagrams()
        Prism.highlightAllUnder(this.$refs.editorPreview)

--- a/package.json
+++ b/package.json
@@ -65,6 +65,7 @@
    "dependency-graph": "0.9.0",
    "diff": "4.0.2",
    "diff2html": "3.1.6",
+    "dompurify": "2.0.10",
    "dotize": "0.3.0",
    "elasticsearch6": "npm:@elastic/elasticsearch@6",
    "elasticsearch7": "npm:@elastic/elasticsearch@7",

--- a/yarn.lock
+++ b/yarn.lock