Skip to content

C
canifa_note
Unverified Commit d264f459 authored by andrigamerita's avatar andrigamerita Committed by GitHub
Browse files
Options

fix: code blocks of unknown languages cause HTML injection (#3711) 

* fix: code blocks of unknown languages cause HTML injection

A code block of unknown language (that is, a language not treated as special by Memos and not handled by highlight.js) should fall back on rendering its plaintext content. However, the content is never properly escaped before it is appended to the DOM, and thus any string that happens to contain HTML is unsafely rendered. This commit fixes the issue by ensuring that, when none of the previous cases handle the text, any HTML entities are escaped first.

* Update CodeBlock.tsx to conform to eslint
parent af952807
Show whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
web/src/components/MemoContent/CodeBlock.tsx
View file @ d264f459
...@@ -42,7 +42,10 @@ const CodeBlock: React.FC<Props> = ({ language, content }: Props) => { ...@@ -42,7 +42,10 @@ const CodeBlock: React.FC<Props> = ({ language, content }: Props) => {
// Skip error and use default highlighted code. // Skip error and use default highlighted code.
} }
return content; // escape any HTML entities when rendering original content
return Object.assign(document.createElement("span"), {
textContent: content,
}).innerHTML;
}, [formatedLanguage, content]); }, [formatedLanguage, content]);
const handleCopyButtonClick = useCallback(() => { const handleCopyButtonClick = useCallback(() => {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment