Skip to content

fix: DOMPurify hook memory leak in MarkdownText #38834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ggazzo merged 9 commits into from
Feb 20, 2026
Merged

fix: DOMPurify hook memory leak in MarkdownText #38834

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
980b953
Initial plan
Copilot Feb 20, 2026
95562fc
Fix DOMPurify hook memory leak by using useEffect with cleanup
Copilot Feb 20, 2026
9994d34
Improve fix: register DOMPurify hook at module level instead of per-c…
Copilot Feb 20, 2026
ba7f77a
Fix trailing whitespace in code
Copilot Feb 20, 2026
63b8a94
Remove unnecessary wrapper function and guard for hook registration
Copilot Feb 20, 2026
1a6e58f
Use token-based approach for translations to enable contextualized t …
Copilot Feb 20, 2026
37a094a
Generate token at runtime to prevent enumeration attacks
Copilot Feb 20, 2026
cc39864
lint
ggazzo Feb 20, 2026
dac8fbc
Refactor MarkdownText tests to import DOMPurify correctly and ensure …
ggazzo Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions apps/meteor/client/components/MarkdownText.spec.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { mockAppRoot } from '@rocket.chat/mock-providers';
import { render, screen } from '@testing-library/react';
import dompurify from 'dompurify';

import MarkdownText, { supportedURISchemes } from './MarkdownText';

Expand Down Expand Up @@ -432,3 +433,37 @@ describe('code handling', () => {
expect(screen.getByRole('code').outerHTML).toEqual(expected);
});
});

describe('DOMPurify hook registration', () => {
it('should register hook only once at module level', () => {
// Import the module to trigger hook registration

const addHookSpy = jest.spyOn(dompurify, 'addHook');

// Clear any previous calls from module initialization
addHookSpy.mockClear();

const { rerender, unmount } = render(<MarkdownText content='[Test Link](https://example.com)' variant='document' />, {
wrapper: mockAppRoot().build(),
});

// Hook should NOT be registered during component render (it's registered at module level)
expect(addHookSpy).toHaveBeenCalledTimes(0);

// Re-rendering with different props should not register hook again
rerender(<MarkdownText content='[Another Link](https://example.com)' variant='document' />);
expect(addHookSpy).toHaveBeenCalledTimes(0);

// Rendering another instance should not register hook again
render(<MarkdownText content='[Third Link](https://test.com)' variant='inline' />, {
wrapper: mockAppRoot().build(),
});
expect(addHookSpy).toHaveBeenCalledTimes(0);

// Unmounting should not affect the module-level hook
unmount();
expect(addHookSpy).toHaveBeenCalledTimes(0);

addHookSpy.mockRestore();
});
});
87 changes: 51 additions & 36 deletions apps/meteor/client/components/MarkdownText.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,49 @@ type MarkdownTextProps = Partial<MarkdownTextParams>;

export const supportedURISchemes = ['http', 'https', 'notes', 'ftp', 'ftps', 'tel', 'mailto', 'sms', 'cid'];

const isElement = (node: Node): node is Element => node.nodeType === Node.ELEMENT_NODE;
const isLinkElement = (node: Node): node is HTMLAnchorElement => isElement(node) && node.tagName.toLowerCase() === 'a';

// Generate a unique token at runtime to prevent enumeration attacks
// This token marks internal links that need translation
const INTERNAL_LINK_TOKEN = `__INTERNAL_LINK_TITLE_${Math.random().toString(36).substring(2, 15)}__`;

// Register the DOMPurify hook once at module level to prevent memory leaks
// This hook will be shared by all MarkdownText component instances
dompurify.addHook('afterSanitizeAttributes', (node) => {
if (!isLinkElement(node)) {
return;
}

const href = node.getAttribute('href') || '';
const isExternalLink = isExternal(href);
const isMailto = href.startsWith('mailto:');

// Set appropriate attributes based on link type
if (isExternalLink || isMailto) {
node.setAttribute('rel', 'nofollow noopener noreferrer');
// Enforcing external links to open in new tabs is critical to assure users never navigate away from the chat
// This attribute must be preserved to guarantee users maintain their chat context
node.setAttribute('target', '_blank');
}

// Set appropriate title based on link type
if (isMailto) {
// For mailto links, use the email address as the title for better user experience
// Example: for href "mailto:user@example.com" the title would be "mailto:user@example.com"
node.setAttribute('title', href);
} else if (isExternalLink) {
// For external links, set an empty title to prevent tooltips
// This reduces visual clutter and lets users see the URL in the browser's status bar instead
node.setAttribute('title', '');
} else {
// For internal links, use a token that will be replaced with translated text in the component
// This allows us to use the contextualized translation function
const relativePath = href.replace(getBaseURI(), '');
node.setAttribute('title', `${INTERNAL_LINK_TOKEN}${relativePath}`);
}
});

const MarkdownText = ({
content,
variant = 'document',
Expand Down Expand Up @@ -143,41 +186,16 @@ const MarkdownText = ({
}
})();

// Add a hook to make all external links open a new window
dompurify.addHook('afterSanitizeAttributes', (node) => {
if (!isLinkElement(node)) {
return;
}
const sanitizedHtml = preserveHtml
? html
: html && sanitizer(html, { ADD_ATTR: ['target'], ALLOWED_URI_REGEXP: getRegexp(supportedURISchemes) });

const href = node.getAttribute('href') || '';
const isExternalLink = isExternal(href);
const isMailto = href.startsWith('mailto:');
// Replace internal link tokens with contextualized translations
if (sanitizedHtml && typeof sanitizedHtml === 'string') {
return sanitizedHtml.replace(new RegExp(`${INTERNAL_LINK_TOKEN}([^"]*)`, 'g'), (_, href) => t('Go_to_href', { href }));
}

// Set appropriate attributes based on link type
if (isExternalLink || isMailto) {
node.setAttribute('rel', 'nofollow noopener noreferrer');
// Enforcing external links to open in new tabs is critical to assure users never navigate away from the chat
// This attribute must be preserved to guarantee users maintain their chat context
node.setAttribute('target', '_blank');
}

// Set appropriate title based on link type
if (isMailto) {
// For mailto links, use the email address as the title for better user experience
// Example: for href "mailto:user@example.com" the title would be "mailto:user@example.com"
node.setAttribute('title', href);
} else if (isExternalLink) {
// For external links, set an empty title to prevent tooltips
// This reduces visual clutter and lets users see the URL in the browser's status bar instead
node.setAttribute('title', '');
} else {
// For internal links, add a translated title with the relative path
// Example: for href "https://my-server.rocket.chat/channel/general" the title would be "Go to #general"
node.setAttribute('title', `${t('Go_to_href', { href: href.replace(getBaseURI(), '') })}`);
}
});

return preserveHtml ? html : html && sanitizer(html, { ADD_ATTR: ['target'], ALLOWED_URI_REGEXP: getRegexp(supportedURISchemes) });
return sanitizedHtml;
}, [preserveHtml, sanitizer, content, variant, markedOptions, parseEmoji, t]);

return __html ? (
Expand All @@ -190,7 +208,4 @@ const MarkdownText = ({
) : null;
};

const isElement = (node: Node): node is Element => node.nodeType === Node.ELEMENT_NODE;
const isLinkElement = (node: Node): node is HTMLAnchorElement => isElement(node) && node.tagName.toLowerCase() === 'a';

export default MarkdownText;
Loading