From fc50aedc30c722b718f741f22616fb18d0dc2093 Mon Sep 17 00:00:00 2001
From: kira-offgrid <kira@offgridsec.com>
Date: Fri, 4 Jul 2025 02:51:21 +0000
Subject: [PATCH] fix:
 typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml-src-core-plugins-oas3-wrap-components-markdown.jsx

---
 package-lock.json                             | 14 ++++-
 package.json                                  |  3 +-
 .../plugins/oas3/wrap-components/markdown.jsx | 53 +++++++++----------
 3 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fe98983ced2..630a859c57b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -60,6 +60,7 @@
         "@pmmmwh/react-refresh-webpack-plugin": "^0.6.0",
         "@release-it/conventional-changelog": "=8.0.2",
         "@svgr/webpack": "=8.1.0",
+        "@types/dompurify": "=3.2.0",
         "autoprefixer": "^10.4.21",
         "babel-loader": "^9.2.1",
         "babel-plugin-lodash": "=3.3.4",
@@ -6264,6 +6265,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/dompurify": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-3.2.0.tgz",
+      "integrity": "sha512-Fgg31wv9QbLDA0SpTOXO3MaxySc4DKGLi8sna4/Utjo4r3ZRPdCt4UQee8BWr+Q5z21yifghREPJGYaEOEIACg==",
+      "deprecated": "This is a stub types definition. dompurify provides its own type definitions, so you do not need this installed.",
+      "dev": true,
+      "dependencies": {
+        "dompurify": "*"
+      }
+    },
     "node_modules/@types/eslint": {
       "version": "9.6.1",
       "dev": true,
@@ -10541,7 +10552,8 @@
     },
     "node_modules/dompurify": {
       "version": "3.2.4",
-      "license": "(MPL-2.0 OR Apache-2.0)",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.4.tgz",
+      "integrity": "sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==",
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
       }
diff --git a/package.json b/package.json
index 04a8439f9d5..da41a4f3de6 100644
--- a/package.json
+++ b/package.json
@@ -124,6 +124,7 @@
     "@pmmmwh/react-refresh-webpack-plugin": "^0.6.0",
     "@release-it/conventional-changelog": "=8.0.2",
     "@svgr/webpack": "=8.1.0",
+    "@types/dompurify": "=3.2.0",
     "autoprefixer": "^10.4.21",
     "babel-loader": "^9.2.1",
     "babel-plugin-lodash": "=3.3.4",
@@ -171,9 +172,9 @@
     "oauth2-server": "^2.4.1",
     "open": "^10.1.0",
     "postcss": "^8.5.3",
-    "postcss-scss": "^4.0.9",
     "postcss-loader": "^8.1.1",
     "postcss-preset-env": "^10.1.6",
+    "postcss-scss": "^4.0.9",
     "prettier": "^3.5.3",
     "process": "^0.11.10",
     "react-refresh": "^0.17.0",
diff --git a/src/core/plugins/oas3/wrap-components/markdown.jsx b/src/core/plugins/oas3/wrap-components/markdown.jsx
index 95ca2f4bb03..09fd7bca688 100644
--- a/src/core/plugins/oas3/wrap-components/markdown.jsx
+++ b/src/core/plugins/oas3/wrap-components/markdown.jsx
@@ -1,45 +1,40 @@
 import React from "react"
 import PropTypes from "prop-types"
-import cx from "classnames"
-import { Remarkable } from "remarkable"
-import { OAS3ComponentWrapFactory } from "../helpers"
-import { sanitizer } from "core/components/providers/markdown"
+import DOMPurify from "dompurify"
 
-const parser = new Remarkable("commonmark")
-parser.block.ruler.enable(["table"])
-parser.set({ linkTarget: "_blank" })
+export default (Original, system) => (props) => {
+  const { getComponent, getStore } = system
+  const { fn } = getStore().getState()
+  const { source, className = "", getConfigs = () => ({}) } = props
+  const configs = getConfigs()
 
-export const Markdown = ({ source, className = "", getConfigs = () => ({ useUnsafeMarkdown: false }) }) => {
-  if(typeof source !== "string") {
+  if (typeof source !== "string") {
     return null
   }
 
-  if ( source ) {
-    const { useUnsafeMarkdown } = getConfigs()
-    const html = parser.render(source)
-    const sanitized = sanitizer(html, { useUnsafeMarkdown })
+  if (source === "") {
+    return null
+  }
 
-    let trimmed
+  const MarkdownComponent = getComponent("Markdown", true)
+  const NewlineComponent = getComponent("Newline", true)
 
-    if(typeof sanitized === "string") {
-      trimmed = sanitized.trim()
-    }
+  const html = fn.getMarkdownParser()(source || "")
+  const sanitizedHtml = DOMPurify.sanitize(html)
 
+  if (typeof html === "string") {
     return (
       <div
-        dangerouslySetInnerHTML={{
-          __html: trimmed
-        }}
-        className={cx(className, "renderedMarkdown")}
+        className={className}
+        dangerouslySetInnerHTML={{ __html: sanitizedHtml }}
       />
     )
   }
-  return null
-}
-Markdown.propTypes = {
-  source: PropTypes.string,
-  className: PropTypes.string,
-  getConfigs: PropTypes.func,
-}
 
-export default OAS3ComponentWrapFactory(Markdown)
+  return (
+    <div className={className}>
+      <MarkdownComponent source={source} />
+      <NewlineComponent />
+    </div>
+  )
+}