hzhang
045c7c51d6
- MarkdownView: add rehype-sanitize between rehype-raw and rehype-katex to strip scripts/event-handlers/javascript: URLs from user-authored markdown (was stored XSS, also affected the public /pg/* route); keep className on code/span/div so KaTeX and syntax highlighting still work. Add rehype-sanitize ^6.0.0 to deps and lockfile. - MarkdownContent / StandaloneMarkdownPage: parse markdown content via parseMarkdownContent() instead of an unguarded JSON.parse, so a single corrupt/legacy record no longer white-screens the whole page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
12 lines
520 B
JavaScript
12 lines
520 B
JavaScript
// Markdown `content` is a JSON string. Records created via the API (or
|
|
// legacy/corrupt data) may not be valid JSON; an unguarded JSON.parse in a
|
|
// render path throws and white-screens the whole page (including the public
|
|
// /pg/* route). Parse defensively and degrade to a readable fallback.
|
|
export function parseMarkdownContent(raw) {
|
|
try {
|
|
return JSON.parse(raw);
|
|
} catch (e) {
|
|
return { markdown: "> ⚠️ This document could not be displayed: its stored content is not valid." };
|
|
}
|
|
}
|