Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 11e5050

Browse files
Replace marked sanitize with sanitize-html (#500) (#535)
Because the sanitize option in marked is deprecated and not safe This commit replace it with sanitize-html which works well with Server Side Rendering unlike DOMPurify. Resolves #500 
1 parent dca37ba commit 11e5050

File tree

3 files changed

+82
-3
lines changed

3 files changed

+82
-3
lines changed

‎client/app/bundles/comments/components/CommentBox/CommentList/Comment/Comment.jsx‎

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ import React from 'react';
33
import PropTypes from 'prop-types';
44

55
import { marked } from 'marked';
6+
import sanitizeHtml from 'sanitize-html';
67
import css from './Comment.module.scss';
78

89
export default class Comment extends BaseComponent {
@@ -13,13 +14,14 @@ export default class Comment extends BaseComponent {
1314

1415
render() {
1516
const { author, text } = this.props;
16-
const rawMarkup = marked(text, { gfm: true, sanitize: true });
17+
const rawMarkup = marked(text, { gfm: true });
18+
const sanitizedRawMarkup = sanitizeHtml(rawMarkup);
1719

1820
/* eslint-disable react/no-danger */
1921
return (
2022
<div className={css.comment}>
2123
<h2 className={`${css.commentAuthor} js-comment-author`}>{author}</h2>
22-
<span dangerouslySetInnerHTML={{ __html: rawMarkup }} className="js-comment-text" />
24+
<span dangerouslySetInnerHTML={{ __html: sanitizedRawMarkup }} className="js-comment-text" />
2325
</div>
2426
);
2527
}

‎package.json‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@
7777
"redux": "^4.2.1",
7878
"redux-thunk": "^2.2.0",
7979
"resolve-url-loader": "^2.2.0",
80+
"sanitize-html": "^2.11.0",
8081
"sass": "^1.58.3",
8182
"sass-loader": "^12.6.0",
8283
"sass-resources-loader": "^2.2.5",

‎yarn.lock‎

Lines changed: 77 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3765,6 +3765,15 @@ dom-serializer@^1.0.1:
37653765
domhandler "^4.2.0"
37663766
entities "^2.0.0"
37673767

3768+
dom-serializer@^2.0.0:
3769+
version "2.0.0"
3770+
resolved "https://registry.yarnpkg.com/dom-serializer/-/dom-serializer-2.0.0.tgz#e41b802e1eedf9f6cae183ce5e622d789d7d8e53"
3771+
integrity sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==
3772+
dependencies:
3773+
domelementtype "^2.3.0"
3774+
domhandler "^5.0.2"
3775+
entities "^4.2.0"
3776+
37683777
dom-walk@^0.1.0:
37693778
version "0.1.2"
37703779
resolved "https://registry.yarnpkg.com/dom-walk/-/dom-walk-0.1.2.tgz#0c548bef048f4d1f2a97249002236060daa3fd84"
@@ -3775,7 +3784,7 @@ domain-browser@^1.1.1:
37753784
resolved "https://registry.yarnpkg.com/domain-browser/-/domain-browser-1.2.0.tgz#3d31f50191a6749dd1375a7f522e823d42e54eda"
37763785
integrity sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==
37773786

3778-
domelementtype@^2.0.1, domelementtype@^2.2.0:
3787+
domelementtype@^2.0.1, domelementtype@^2.2.0, domelementtype@^2.3.0:
37793788
version "2.3.0"
37803789
resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-2.3.0.tgz#5c45e8e869952626331d7aab326d01daf65d589d"
37813790
integrity sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==
@@ -3794,6 +3803,13 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.1:
37943803
dependencies:
37953804
domelementtype "^2.2.0"
37963805

3806+
domhandler@^5.0.2, domhandler@^5.0.3:
3807+
version "5.0.3"
3808+
resolved "https://registry.yarnpkg.com/domhandler/-/domhandler-5.0.3.tgz#cc385f7f751f1d1fc650c21374804254538c7d31"
3809+
integrity sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==
3810+
dependencies:
3811+
domelementtype "^2.3.0"
3812+
37973813
domutils@^2.5.2, domutils@^2.8.0:
37983814
version "2.8.0"
37993815
resolved "https://registry.yarnpkg.com/domutils/-/domutils-2.8.0.tgz#4437def5db6e2d1f5d6ee859bd95ca7d02048135"
@@ -3803,6 +3819,15 @@ domutils@^2.5.2, domutils@^2.8.0:
38033819
domelementtype "^2.2.0"
38043820
domhandler "^4.2.0"
38053821

3822+
domutils@^3.0.1:
3823+
version "3.1.0"
3824+
resolved "https://registry.yarnpkg.com/domutils/-/domutils-3.1.0.tgz#c47f551278d3dc4b0b1ab8cbb42d751a6f0d824e"
3825+
integrity sha512-H78uMmQtI2AhgDJjWeQmHwJJ2bLPD3GMmO7Zja/ZZh84wkm+4ut+IUnUdRa8uCGX88DiVx1j6FRe1XfxEgjEZA==
3826+
dependencies:
3827+
dom-serializer "^2.0.0"
3828+
domelementtype "^2.3.0"
3829+
domhandler "^5.0.3"
3830+
38063831
dot-case@^3.0.4:
38073832
version "3.0.4"
38083833
resolved "https://registry.yarnpkg.com/dot-case/-/dot-case-3.0.4.tgz#9b2b670d00a431667a8a75ba29cd1b98809ce751"
@@ -3893,6 +3918,11 @@ entities@^2.0.0:
38933918
resolved "https://registry.yarnpkg.com/entities/-/entities-2.2.0.tgz#098dc90ebb83d8dffa089d55256b351d34c4da55"
38943919
integrity sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==
38953920

3921+
entities@^4.2.0, entities@^4.4.0:
3922+
version "4.5.0"
3923+
resolved "https://registry.yarnpkg.com/entities/-/entities-4.5.0.tgz#5d268ea5e7113ec74c4d033b79ea5a35a488fb48"
3924+
integrity sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==
3925+
38963926
env-paths@^2.2.0:
38973927
version "2.2.1"
38983928
resolved "https://registry.yarnpkg.com/env-paths/-/env-paths-2.2.1.tgz#420399d416ce1fbe9bc0a07c62fa68d67fd0f8f2"
@@ -5170,6 +5200,16 @@ htmlparser2@^6.1.0:
51705200
domutils "^2.5.2"
51715201
entities "^2.0.0"
51725202

5203+
htmlparser2@^8.0.0:
5204+
version "8.0.2"
5205+
resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-8.0.2.tgz#f002151705b383e62433b5cf466f5b716edaec21"
5206+
integrity sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==
5207+
dependencies:
5208+
domelementtype "^2.3.0"
5209+
domhandler "^5.0.3"
5210+
domutils "^3.0.1"
5211+
entities "^4.4.0"
5212+
51735213
http-cache-semantics@^4.1.0:
51745214
version "4.1.1"
51755215
resolved "https://registry.yarnpkg.com/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz#abe02fcb2985460bf0323be664436ec3476a6d5a"
@@ -5609,6 +5649,11 @@ is-plain-object@^2.0.4:
56095649
dependencies:
56105650
isobject "^3.0.1"
56115651

5652+
is-plain-object@^5.0.0:
5653+
version "5.0.0"
5654+
resolved "https://registry.yarnpkg.com/is-plain-object/-/is-plain-object-5.0.0.tgz#4427f50ab3429e9025ea7d52e9043a9ef4159344"
5655+
integrity sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==
5656+
56125657
is-potential-custom-element-name@^1.0.1:
56135658
version "1.0.1"
56145659
resolved "https://registry.yarnpkg.com/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz#171ed6f19e3ac554394edf78caa05784a45bebb5"
@@ -7035,6 +7080,11 @@ nanoid@^3.3.4:
70357080
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.4.tgz#730b67e3cd09e2deacf03c027c81c9d9dbc5e8ab"
70367081
integrity sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==
70377082

7083+
nanoid@^3.3.6:
7084+
version "3.3.6"
7085+
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c"
7086+
integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
7087+
70387088
natural-compare@^1.4.0:
70397089
version "1.4.0"
70407090
resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
@@ -7482,6 +7532,11 @@ parse-json@^5.0.0, parse-json@^5.2.0:
74827532
json-parse-even-better-errors "^2.3.0"
74837533
lines-and-columns "^1.1.6"
74847534

7535+
parse-srcset@^1.0.2:
7536+
version "1.0.2"
7537+
resolved "https://registry.yarnpkg.com/parse-srcset/-/parse-srcset-1.0.2.tgz#f2bd221f6cc970a938d88556abc589caaaa2bde1"
7538+
integrity sha512-/2qh0lav6CmI15FzA3i/2Bzk2zCgQhGMkvhOhKNcBVQ1ldgpbfiNTVslmooUmWJcADi1f1kIeynbDRVzNlfR6Q==
7539+
74857540
parse5@6.0.1:
74867541
version "6.0.1"
74877542
resolved "https://registry.yarnpkg.com/parse5/-/parse5-6.0.1.tgz#e1a1c085c569b3dc08321184f19a39cc27f7c30b"
@@ -7866,6 +7921,15 @@ postcss@^6.0.17:
78667921
source-map "^0.6.1"
78677922
supports-color "^5.4.0"
78687923

7924+
postcss@^8.3.11:
7925+
version "8.4.27"
7926+
resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.27.tgz#234d7e4b72e34ba5a92c29636734349e0d9c3057"
7927+
integrity sha512-gY/ACJtJPSmUFPDCHtX78+01fHa64FaU4zaaWfuh1MhGJISufJAH4cun6k/8fwsHYeK4UQmENQK+tRLCFJE8JQ==
7928+
dependencies:
7929+
nanoid "^3.3.6"
7930+
picocolors "^1.0.0"
7931+
source-map-js "^1.0.2"
7932+
78697933
postcss@^8.3.5, postcss@^8.4.19, postcss@^8.4.5:
78707934
version "8.4.21"
78717935
resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.21.tgz#c639b719a57efc3187b13a1d765675485f4134f4"
@@ -8671,6 +8735,18 @@ safe-regex-test@^1.0.0:
86718735
resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
86728736
integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
86738737

8738+
sanitize-html@^2.11.0:
8739+
version "2.11.0"
8740+
resolved "https://registry.yarnpkg.com/sanitize-html/-/sanitize-html-2.11.0.tgz#9a6434ee8fcaeddc740d8ae7cd5dd71d3981f8f6"
8741+
integrity sha512-BG68EDHRaGKqlsNjJ2xUB7gpInPA8gVx/mvjO743hZaeMCZ2DwzW7xvsqZ+KNU4QKwj86HJ3uu2liISf2qBBUA==
8742+
dependencies:
8743+
deepmerge "^4.2.2"
8744+
escape-string-regexp "^4.0.0"
8745+
htmlparser2 "^8.0.0"
8746+
is-plain-object "^5.0.0"
8747+
parse-srcset "^1.0.2"
8748+
postcss "^8.3.11"
8749+
86748750
sass-graph@^4.0.1:
86758751
version "4.0.1"
86768752
resolved "https://registry.yarnpkg.com/sass-graph/-/sass-graph-4.0.1.tgz#2ff8ca477224d694055bf4093f414cf6cfad1d2e"

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /