Skip to content
This repository was archived by the owner on Jun 27, 2026. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
"fs-extra": "^11.3.3",
"genkit": "^1.29.0",
"import-in-the-middle": "^3.0.0",
"isomorphic-dompurify": "^2.22.0",
"lucide-react": "^0.575.0",
"markdown-it": "^14.1.1",
"nanostores": "^1.1.0",
Expand Down
11 changes: 8 additions & 3 deletions src/components/markdown.tsx
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
import markdownit from "markdown-it"
import DOMPurify from "isomorphic-dompurify"
import { cn } from "@/lib/utils"
import { ComponentProps } from "react"

const md = markdownit()
const md = markdownit({
html: false,
linkify: true,
})

type MarkdownProps = {
text: string
Expand All @@ -11,5 +15,6 @@ type MarkdownProps = {

export default function Markdown({ text, className, ...props }: MarkdownProps) {
const html = md.render(text)
return <div dangerouslySetInnerHTML={{ __html: html }} className={cn("markdown", className)} {...props} />
}
const sanitizedHtml = DOMPurify.sanitize(html)
return <div dangerouslySetInnerHTML={{ __html: sanitizedHtml }} className={cn("markdown", className)} {...props} />
}
27 changes: 27 additions & 0 deletions tests/jest/components/markdown.test.tsx
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
import { render } from '@testing-library/react';
import Markdown from '@/components/markdown';

jest.mock('@/lib/utils', () => ({
cn: (...inputs: any[]) => inputs.join(' '),
}));

// Mock isomorphic-dompurify if necessary, but it's better to test the real thing if possible.
// Since we can't run it anyway, this is mostly for documentation of the intent.

describe('Markdown Component Security', () => {
it('should escape malicious HTML in markdown due to markdown-it config', () => {
const maliciousMarkdown = '<img src=x onerror=alert("XSS")>';
const { container } = render(<Markdown text={maliciousMarkdown} />);
const img = container.querySelector('img');
expect(img).toBeNull();
expect(container.innerHTML).toContain('&lt;img src=x onerror=alert("XSS")&gt;');
});

it('should sanitize malicious links in markdown', () => {
const maliciousMarkdown = '[click me](javascript:alert("XSS"))';
const { container } = render(<Markdown text={maliciousMarkdown} />);
const a = container.querySelector('a');
// DOMPurify should sanitize the href
expect(a?.getAttribute('href')).not.toBe('javascript:alert("XSS")');
});
});
Loading