Skip to content

Commit

Permalink
Fixed an XSS vulnerability.
Browse files Browse the repository at this point in the history
  • Loading branch information
@MrCoder
MrCoder committed Jun 26, 2024
1 parent dcfee8c commit ad7545b
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 23 deletions.
1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
"antlr4": "~4.11.0",
"color-string": "^1.5.5",
"dom-to-image-more": "^2.13.0",
"dompurify": "^3.1.5",
"file-saver": "^2.0.5",
"highlight.js": "^10.7.3",
"html-to-image": "^1.11.3",
Expand Down
50 changes: 30 additions & 20 deletions pnpm-lock.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 5 additions & 3 deletions src/components/DiagramFrame/SeqDiagram/MessageLayer/Block/Statement/Comment/Comment.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@

<script type="text/babel">
import { marked } from "marked";
import DOMPurify from "dompurify";
import highlightjs from "highlight.js/lib/core";
// Languages import
Expand Down Expand Up @@ -61,10 +63,10 @@ export default {
props: ["comment", "commentObj"],
computed: {
markedComment() {
return (
const dirtyHTML =
(this.commentObj?.text && marked.parse(this.commentObj?.text)) ||
(this.comment && marked.parse(this.comment))
);
(this.comment && marked.parse(this.comment));
return DOMPurify.sanitize(dirtyHTML);
},
commentStyle() {
return this.commentObj?.commentStyle;
Expand Down

0 comments on commit ad7545b

Please sign in to comment.