Security hardening: prevent stored XSS and render crashes

- MarkdownView: add rehype-sanitize between rehype-raw and rehype-katex to strip scripts/event-handlers/javascript: URLs from user-authored markdown (was stored XSS, also affected the public /pg/* route); keep className on code/span/div so KaTeX and syntax highlighting still work. Add rehype-sanitize ^6.0.0 to deps and lockfile. - MarkdownContent / StandaloneMarkdownPage: parse markdown content via parseMarkdownContent() instead of an unguarded JSON.parse, so a single corrupt/legacy record no longer white-screens the whole page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 16:12:56 +01:00
parent c9310250e4
commit 045c7c51d6
6 changed files with 63 additions and 3 deletions
--- a/src/components/Markdowns/MarkdownContent.js
+++ b/src/components/Markdowns/MarkdownContent.js
@@ -10,6 +10,7 @@ import {useMarkdownSetting} from "../../utils/queries/markdown-setting-queries";
 import {useMarkdownTemplate} from "../../utils/queries/markdown-template-queries";
 import {useMarkdownTemplateSetting} from "../../utils/queries/markdown-template-setting-queries";
 import MarkdownSettingModal from "../Modals/MarkdownSettingModal";
+import { parseMarkdownContent } from "../../utils/safe-json";

 const MarkdownContent = () => {
    const { strId } = useParams();
@@ -68,7 +69,7 @@ const MarkdownContent = () => {
                    </div>
                </PermissionGuard>
            </div>
-            <MarkdownView content={JSON.parse(markdown.content)} template={template}/>
+            <MarkdownView content={parseMarkdownContent(markdown.content)} template={template}/>
            <MarkdownSettingModal 
                isOpen={isSettingModalOpen}
                markdown={markdown}