From fc50aedc30c722b718f741f22616fb18d0dc2093 Mon Sep 17 00:00:00 2001 From: kira-offgrid Date: Fri, 4 Jul 2025 02:51:21 +0000 Subject: [PATCH] fix: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml-src-core-plugins-oas3-wrap-components-markdown.jsx --- package-lock.json | 14 ++++- package.json | 3 +- .../plugins/oas3/wrap-components/markdown.jsx | 53 +++++++++---------- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/package-lock.json b/package-lock.json index fe98983ced2..630a859c57b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -60,6 +60,7 @@ "@pmmmwh/react-refresh-webpack-plugin": "^0.6.0", "@release-it/conventional-changelog": "=8.0.2", "@svgr/webpack": "=8.1.0", + "@types/dompurify": "=3.2.0", "autoprefixer": "^10.4.21", "babel-loader": "^9.2.1", "babel-plugin-lodash": "=3.3.4", @@ -6264,6 +6265,16 @@ "@types/node": "*" } }, + "node_modules/@types/dompurify": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-3.2.0.tgz", + "integrity": "sha512-Fgg31wv9QbLDA0SpTOXO3MaxySc4DKGLi8sna4/Utjo4r3ZRPdCt4UQee8BWr+Q5z21yifghREPJGYaEOEIACg==", + "deprecated": "This is a stub types definition. dompurify provides its own type definitions, so you do not need this installed.", + "dev": true, + "dependencies": { + "dompurify": "*" + } + }, "node_modules/@types/eslint": { "version": "9.6.1", "dev": true, @@ -10541,7 +10552,8 @@ }, "node_modules/dompurify": { "version": "3.2.4", - "license": "(MPL-2.0 OR Apache-2.0)", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.4.tgz", + "integrity": "sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==", "optionalDependencies": { "@types/trusted-types": "^2.0.7" } diff --git a/package.json b/package.json index 04a8439f9d5..da41a4f3de6 100644 --- a/package.json +++ b/package.json @@ -124,6 +124,7 @@ "@pmmmwh/react-refresh-webpack-plugin": "^0.6.0", "@release-it/conventional-changelog": "=8.0.2", "@svgr/webpack": "=8.1.0", + "@types/dompurify": "=3.2.0", "autoprefixer": "^10.4.21", "babel-loader": "^9.2.1", "babel-plugin-lodash": "=3.3.4", @@ -171,9 +172,9 @@ "oauth2-server": "^2.4.1", "open": "^10.1.0", "postcss": "^8.5.3", - "postcss-scss": "^4.0.9", "postcss-loader": "^8.1.1", "postcss-preset-env": "^10.1.6", + "postcss-scss": "^4.0.9", "prettier": "^3.5.3", "process": "^0.11.10", "react-refresh": "^0.17.0", diff --git a/src/core/plugins/oas3/wrap-components/markdown.jsx b/src/core/plugins/oas3/wrap-components/markdown.jsx index 95ca2f4bb03..09fd7bca688 100644 --- a/src/core/plugins/oas3/wrap-components/markdown.jsx +++ b/src/core/plugins/oas3/wrap-components/markdown.jsx @@ -1,45 +1,40 @@ import React from "react" import PropTypes from "prop-types" -import cx from "classnames" -import { Remarkable } from "remarkable" -import { OAS3ComponentWrapFactory } from "../helpers" -import { sanitizer } from "core/components/providers/markdown" +import DOMPurify from "dompurify" -const parser = new Remarkable("commonmark") -parser.block.ruler.enable(["table"]) -parser.set({ linkTarget: "_blank" }) +export default (Original, system) => (props) => { + const { getComponent, getStore } = system + const { fn } = getStore().getState() + const { source, className = "", getConfigs = () => ({}) } = props + const configs = getConfigs() -export const Markdown = ({ source, className = "", getConfigs = () => ({ useUnsafeMarkdown: false }) }) => { - if(typeof source !== "string") { + if (typeof source !== "string") { return null } - if ( source ) { - const { useUnsafeMarkdown } = getConfigs() - const html = parser.render(source) - const sanitized = sanitizer(html, { useUnsafeMarkdown }) + if (source === "") { + return null + } - let trimmed + const MarkdownComponent = getComponent("Markdown", true) + const NewlineComponent = getComponent("Newline", true) - if(typeof sanitized === "string") { - trimmed = sanitized.trim() - } + const html = fn.getMarkdownParser()(source || "") + const sanitizedHtml = DOMPurify.sanitize(html) + if (typeof html === "string") { return (
) } - return null -} -Markdown.propTypes = { - source: PropTypes.string, - className: PropTypes.string, - getConfigs: PropTypes.func, -} -export default OAS3ComponentWrapFactory(Markdown) + return ( +
+ + +
+ ) +}