Files
excalidraw-box/.jules/sentinel.md
ruinivist e034fabe62 🛡️ Sentinel: [HIGH] Mitigate XSS in CodeBlock rendering via DOMPurify
Sanitize HTML string generated by Shiki before rendering it via `dangerouslySetInnerHTML` in CodeBlockEmbeddable and CodeBlockSidebar.
2026-06-04 08:24:40 +00:00

766 B

2024-06-04 - Defense in Depth: Shiki HTML Sanitization

Vulnerability: Potential XSS via dangerouslySetInnerHTML in CodeBlock components rendering Shiki highlighted code. Learning: While Shiki is generally considered safe as it just wraps code in spans, passing user-controlled input (even if it's "code") through an external library and directly into dangerouslySetInnerHTML without explicit sanitization creates an unnecessary risk surface. A vulnerability or misconfiguration in the highlighter could lead to XSS. Prevention: Always wrap the output of HTML generators (like Shiki) in a dedicated sanitizer (like DOMPurify) before using dangerouslySetInnerHTML, even if the generator is deemed "safe." This is a core tenet of defense in depth.