Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Implement DOMPurify to sanitize HTML content before rendering #1498

Merged
merged 1 commit into from
Jul 15, 2024
Merged

Fix: Implement DOMPurify to sanitize HTML content before rendering #1498

merged 1 commit into from
Jul 15, 2024

Conversation

dservian
Copy link
Contributor

@dservian dservian commented Jul 12, 2024
edited
Loading

What problem does this PR solve?

This PR resolves issue #1491 related to HTML Injection and Cross-Site Scripting (XSS). The issue was caused by the unsafe usage of dangerouslySetInnerHTML without proper sanitization of user input.

Changes

  • Added DOMPurify dependency.
  • Updated the following components to use DOMPurify:
    • web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
    • web/src/pages/chat/markdown-content/index.tsx
    • web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx

Type of change

  • Other (please describe): Security Fix

@dservian dservian changed the title Implement DOMPurify to sanitize HTML content before rendering Fix: Implement DOMPurify to sanitize HTML content before rendering Jul 13, 2024
@KevinHuSh KevinHuSh requested a review from cike8899 July 14, 2024 06:56
@KevinHuSh KevinHuSh merged commit bafe137 into infiniflow:main Jul 15, 2024
1 check passed
@dservian dservian deleted the sanitize-unsafe-html branch July 15, 2024 08:44
Halfknow pushed a commit to Halfknow/ragflow that referenced this pull request Nov 11, 2024
@dservian
Fix: Implement DOMPurify to sanitize HTML content before rendering (i…
ed5a799 
…nfiniflow#1498)

### What problem does this PR solve?

This PR resolves issue infiniflow#1491 related to HTML Injection and Cross-Site
Scripting (XSS). The issue was caused by the unsafe usage of
`dangerouslySetInnerHTML` without proper sanitization of user input.

### Changes
- Added DOMPurify dependency.
- Updated the following components to use DOMPurify:
-
`web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx`
  - `web/src/pages/chat/markdown-content/index.tsx`
-
`web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx`

### Type of change

- [x] Other (please describe): Security Fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cike8899 cike8899 Awaiting requested review from cike8899

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dservian @KevinHuSh