Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-10 07:25:44 +01:00
Code Issues Packages Projects Releases Activity

Upgrade react-markdown to prevent xss from stored markdown (#1567)

Browse Source 
Prevent XSS attacks from stored markdown, by updating react-markdown to v5 which sanitizes html.
This commit is contained in:
Sebastian Sdorra
2021-03-03 15:06:34 +01:00
committed by GitHub
parent 4ec01ff4d1
commit 0072808c7d
8 changed files with 3261 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
scm-ui/ui-components/src/MarkdownView.tsx
View File

@@ -23,8 +23,9 @@
*/
import React, { FC } from "react";
import { RouteComponentProps, withRouter } from "react-router-dom";
// @ts-ignore
import Markdown from "react-markdown/with-html";
import Markdown from "react-markdown";
import MarkdownWithHtml from "react-markdown/with-html";
import gfm from "remark-gfm";
import { binder } from "@scm-manager/ui-extensions";
import ErrorBoundary from "./ErrorBoundary";
import { create as createMarkdownHeadingRenderer } from "./MarkdownHeadingRenderer";
@@ -82,13 +83,13 @@ const MarkdownErrorNotification: FC = () => {
class MarkdownView extends React.Component<Props, State> {
static defaultProps: Partial<Props> = {
enableAnchorHeadings: false,
skipHtml: false,
skipHtml: false
};
constructor(props: Props) {
super(props);
this.state = {
contentRef: null,
contentRef: null
};
}
@@ -141,17 +142,18 @@ class MarkdownView extends React.Component<Props, State> {
rendererList.code = MarkdownCodeRenderer;
}
const baseProps = {
className: "content is-word-break",
renderers: rendererList,
plugins: [gfm],
astPlugins: [createTransformer(t)],
children: content
};
return (
<ErrorBoundary fallback={MarkdownErrorNotification}>
<div ref={(el) => this.setState({ contentRef: el })}>
<Markdown
className="content is-word-break"
skipHtml={skipHtml}
escapeHtml={skipHtml}
source={content}
renderers={rendererList}
astPlugins={[createTransformer(t)]}
/>
<div ref={el => this.setState({ contentRef: el })}>
{skipHtml ? <Markdown {...baseProps} /> : <MarkdownWithHtml {...baseProps} allowDangerousHtml={true} />}
</div>
</ErrorBoundary>
);