Skip to content

🤖 fix: add rehype-sanitize to prevent XSS in markdown rendering #1050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ammario merged 1 commit into from
Dec 10, 2025
Merged

🤖 fix: add rehype-sanitize to prevent XSS in markdown rendering #1050

ammario merged 1 commit into from
Dec 10, 2025

Conversation

@ammar-agent
Copy link
Collaborator

@ammar-agent ammar-agent commented Dec 9, 2025

Problem

The error The tag <noun> is unrecognized in this browser indicated that arbitrary HTML tags were being parsed and rendered. This exposed the app to XSS attacks.

Root Cause

The markdown rendering pipeline used:

  1. rehype-raw - Parses raw HTML embedded in markdown
  2. rehype-harden - Only sanitizes URLs in <a> and <img> tags

The gap: rehype-harden does NOT strip unknown/dangerous HTML elements (<script>, <style>, <form>, <noun>, etc.) or remove event handlers (onclick, onerror, etc.).

Solution

Add rehype-sanitize to the plugin chain with a schema that:

  • Allows safe HTML elements commonly used in markdown
  • Allows KaTeX MathML elements for math rendering
  • Allows <details>/<summary> for collapsible sections
  • Blocks dangerous elements and strips event handlers

Testing

  • make static-check passes
  • make typecheck passes
  • Mermaid tests pass

Generated with mux

@ammar-agent
🤖 fix: add rehype-sanitize to prevent XSS in markdown rendering
1ea4f72 
Previously, the markdown pipeline used rehype-raw to parse HTML but only had
rehype-harden which filters URLs in links/images. This left the app vulnerable
to XSS via arbitrary HTML elements (like <noun>, <script>, <style>) and event
handlers (onclick, onerror, etc.) that could be injected via prompt injection.

Add rehype-sanitize to the pipeline with a schema that:
- Allows safe HTML elements commonly used in markdown
- Allows KaTeX MathML elements for math rendering
- Allows details/summary for collapsible sections
- Blocks dangerous elements (script, style, form, etc.)
- Strips event handlers and other dangerous attributes

_Generated with mux_
@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Dec 9, 2025

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Repo admins can enable using credits for code reviews in their settings.

@ammario ammario merged commit cb1683e into main Dec 10, 2025
20 of 21 checks passed
@ammario ammario deleted the fix-xss-noun-tag-error branch December 10, 2025 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ammar-agent @ammario