🛡️ Sentinel: [HIGH] Mitigate XSS in CodeBlock rendering via DOMPurify

Sanitize HTML string generated by Shiki before rendering it via `dangerouslySetInnerHTML` in CodeBlockEmbeddable and CodeBlockSidebar.
This commit is contained in:
ruinivist
2026-06-04 08:24:40 +00:00
parent 01300c7061
commit e034fabe62
5 changed files with 17 additions and 4 deletions
@@ -1,4 +1,5 @@
import { memo, useEffect, useState } from "react";
import DOMPurify from "dompurify";
import type { ExcalidrawProps } from "@excalidraw/excalidraw/types";
import type {
ExcalidrawEmbeddableElement,
@@ -57,7 +58,7 @@ const CodeBlockEmbeddable = memo(function CodeBlockEmbeddable({
{html ? (
<div
className="codeblock-embeddable-html"
dangerouslySetInnerHTML={{ __html: html }}
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}
/>
) : (
<pre className="codeblock-embeddable-fallback">
+2 -1
View File
@@ -1,4 +1,5 @@
import { useEffect, useRef, useState } from "react";
import DOMPurify from "dompurify";
import {
CODE_BLOCK_LANGUAGES,
type CodeBlockDraftState,
@@ -75,7 +76,7 @@ function CodeBlockEditor({
{html ? (
<div
className="codeblock-editor-highlight-html"
dangerouslySetInnerHTML={{ __html: html }}
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}
/>
) : (
<pre className="codeblock-editor-highlight-fallback">