XSS vulnerability in @react-email/markdown

[gtsp233]

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in @react-email/markdown

Vulnerability Details:

• Severity: High/Critical
• Description: There's a risk of malicious script execution when the content of the markdown is malicious

Steps to Reproduce:

import React from "react";
import ReactDOM from "react-dom/client";
import { Markdown } from "@react-email/markdown";

function App() {
    return <Markdown>{`<img src='' onError=alert(1) />'`}</Markdown>
}

const root = ReactDOM.createRoot(document.getElementById("root"));
root.render(<App />);

Suggested Fix or Mitigation:
Since the dependency, markdown parser md-to-react-email": "4.1.0", does not sanitize the markdown output, I'd suggest sanitizing the markdown output using popular libraries like dompurify to make this package safe by default

[lordelogos]

Hi @gtsp233,

Thank you for bringing up this concern.

In response to your query, the integration of DOMPurify in this library was intentionally removed, as detailed in the explanation provided here

For addressing any XSS vulnerability, my recommendation is for developers to incorporate the DOM Purify library directly into their projects, tailoring its usage to suit their specific use cases. This approach ensures a robust and customised solution to mitigate any potential security risks.

Thank you for your understanding and proactive involvement.