Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

meta: update packages #94

Merged
merged 5 commits into from
Dec 28, 2024
Merged

meta: update packages #94

merged 5 commits into from
Dec 28, 2024

Conversation

chrispuska
Copy link
Member

No description provided.

@chrispuska chrispuska self-assigned this Dec 28, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 28, 2024
View reviewed changes
packages/components/components/Markdown/Markdown.tsx
export const Markdown: FC<MarkdownProps> = ({ text, isNonSelectable }) => {
if (!text) return null

const innerHTML = { __html: md.render(text) }

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This markdown rendering which depends on
library input
Loading
might later allow
cross-site scripting
Loading
.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the text input is sanitized before it is used to construct HTML content. This can be achieved by using a library that sanitizes HTML, such as dompurify. This will help prevent XSS attacks by removing any potentially harmful scripts from the input.

  1. Install the dompurify library.
  2. Import dompurify in the Markdown.tsx file.
  3. Use dompurify to sanitize the text input before passing it to md.render.
Suggested changeset 2
packages/components/components/Markdown/Markdown.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/components/components/Markdown/Markdown.tsx b/packages/components/components/Markdown/Markdown.tsx
--- a/packages/components/components/Markdown/Markdown.tsx
+++ b/packages/components/components/Markdown/Markdown.tsx
@@ -5,2 +5,3 @@
 import type { MarkdownProps } from "./Markdown.types"
+import DOMPurify from 'dompurify';
 
@@ -9,3 +10,4 @@
 
-	const innerHTML = { __html: md.render(text) }
+	const sanitizedText = DOMPurify.sanitize(text);
+	const innerHTML = { __html: md.render(sanitizedText) }
 	const markdownClasses: string = getClasses(styles.markdown, {
EOF
@@ -5,2 +5,3 @@
import type { MarkdownProps } from "./Markdown.types"
import DOMPurify from 'dompurify';

@@ -9,3 +10,4 @@

const innerHTML = { __html: md.render(text) }
const sanitizedText = DOMPurify.sanitize(text);
const innerHTML = { __html: md.render(sanitizedText) }
const markdownClasses: string = getClasses(styles.markdown, {
packages/components/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/components/package.json b/packages/components/package.json
--- a/packages/components/package.json
+++ b/packages/components/package.json
@@ -39,3 +39,4 @@
 		"react-dom": "^19.0.0",
-		"react-plock": "^3.4.0"
+		"react-plock": "^3.4.0",
+		"dompurify": "^3.2.3"
 	},
EOF
@@ -39,3 +39,4 @@
"react-dom": "^19.0.0",
"react-plock": "^3.4.0"
"react-plock": "^3.4.0",
"dompurify": "^3.2.3"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@chrispuska chrispuska merged commit eecc9a1 into main Dec 28, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@chrispuska chrispuska

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@chrispuska