Merge commit from fork

* Sanitize markdown when rendering notes fields * Update helpers.py * Update mixins.py * format * format * Allow horizontal rule in markdown * Display returned error mesage * More instructive error msg * Specify output_format to markdown.markdown Ref: https://python-markdown.github.io/reference/markdown/serializers/ * Cleanup * Adjust allowable markdown tags * Add unit test for malicious markdown XSS --------- Co-authored-by: Matthias Mair <code@mjmair.com>
2025-06-17 04:25:42 +00:00 · 2024-10-07 08:57:47 +11:00
parent a323bf0007
commit 846b17aa1d
10 changed files with 122 additions and 7 deletions
--- a/src/frontend/package.json
+++ b/src/frontend/package.json
@ -48,6 +48,7 @@
        "clsx": "^2.1.1",
        "codemirror": "^6.0.1",
        "dayjs": "^1.11.13",
+        "dompurify": "^3.1.7",
        "easymde": "^2.18.0",
        "embla-carousel-react": "^8.3.0",
        "fuse.js": "^7.0.0",
--- a/src/frontend/src/components/editors/NotesEditor.tsx
+++ b/src/frontend/src/components/editors/NotesEditor.tsx
@ -1,6 +1,7 @@
 import { t } from '@lingui/macro';
 import { notifications } from '@mantine/notifications';
 import { useQuery } from '@tanstack/react-query';
+import DOMPurify from 'dompurify';
 import EasyMDE, { default as SimpleMde } from 'easymde';
 import 'easymde/dist/easymde.min.css';
 import { useCallback, useEffect, useMemo, useState } from 'react';
@ -120,11 +121,16 @@ export default function NotesEditor({
            id: 'notes'
          });
        })
-        .catch(() => {
+        .catch((error) => {
          notifications.hide('notes');
+
+          let msg =
+            error?.response?.data?.non_field_errors[0] ??
+            t`Failed to save notes`;
+
          notifications.show({
-            title: t`Error`,
-            message: t`Failed to save notes`,
+            title: t`Error Saving Notes`,
+            message: msg,
            color: 'red',
            id: 'notes'
          });
@ -181,6 +187,11 @@ export default function NotesEditor({
      uploadImage: true,
      imagePathAbsolute: true,
      imageUploadFunction: imageUploadHandler,
+      renderingConfig: {
+        sanitizerFunction: (html: string) => {
+          return DOMPurify.sanitize(html);
+        }
+      },
      sideBySideFullscreen: false,
      shortcuts: {},
      spellChecker: false
--- a/src/frontend/yarn.lock
+++ b/src/frontend/yarn.lock
@ -2578,6 +2578,11 @@ dom-helpers@^5.0.1:
    "@babel/runtime" "^7.8.7"
    csstype "^3.0.2"

+dompurify@^3.1.7:
+  version "3.1.7"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.1.7.tgz#711a8c96479fb6ced93453732c160c3c72418a6a"
+  integrity sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==
+
 easymde@^2.18.0:
  version "2.18.0"
  resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"