Security: Prevent HTML/CSS injection in markdown rendering

[ValwareIRC]

This PR implements comprehensive security fixes for markdown rendering to prevent HTML and CSS injection attacks.

Security Fixes

1. Raw HTML Prevention

• Strip all HTML tags from input before markdown processing
• Block dangerous HTML injection like <div style="background:black">
• Only allow markdown-generated HTML through

2. HTML Tag Whitelisting

• Restrict allowed HTML tags to markdown-specific elements only
• Block potentially harmful tags like div, span, etc.
• Allow only: p, br, strong, b, em, i, h1-h6, ul, ol, li, blockquote, code, pre, a, img, hr, table, thead, tbody, tr, th, td, del, ins

3. Style Attribute Sanitization

• Remove all style attributes from HTML tags
• Prevent CSS injection attacks
• Maintain controlled styling only for images (max-height: 150px)

4. Enhanced Sanitization

• Remove dangerous tags: script, iframe, object, embed, style, link, meta
• Strip event handlers and javascript: URLs
• Comprehensive security filtering

Impact

• ✅ Blocks HTML/CSS injection attacks
• ✅ Maintains markdown functionality (bold, italic, links, images, etc.)
• ✅ Preserves image size constraints
• ✅ All tests passing
• ✅ No breaking changes

Testing

• All 250 tests passing
• Linting clean
• Security validation complete

Summary by CodeRabbit

• Bug Fixes
  • Enhanced content filtering in markdown rendering to remove harmful elements, event handlers, and javascript protocols.
  • Normalized image display with consistent styling and dimensions.
  • Added input validation and length limits to prevent rendering issues.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The PR implements a security-focused sanitization pipeline for markdown rendering in ircUtils.tsx. Input text is stripped of HTML tags, markdown is parsed, then output is filtered to allow only whitelisted HTML elements. Dangerous content (scripts, iframes, styles, links) is removed, event handlers are stripped, image styles are normalized, and input validation with length caps is added to prevent XSS and DoS attacks.

Changes

Cohort / File(s)

Summary

Markdown Sanitization Pipeline src/lib/ircUtils.tsx

Implements a security-hardened markdown rendering function: strips HTML tags before parsing, enforces an allowlist of safe HTML tags (allowedTags whitelist), removes dangerous elements (scripts, iframes, objects, embeds, styles, links, meta tags), strips event handlers and javascript: protocols, normalizes image styling with controlled dimensions and fallback for disabled external content, and adds input validation with length cap to prevent DoS attacks.

Sequence Diagram

sequenceDiagram
    participant User
    participant renderMarkdown
    participant Sanitization
    participant MarkdownParser
    participant Validator

    User->>renderMarkdown: Input markdown text
    
    rect rgb(230, 240, 250)
    Note over renderMarkdown: New Security Pipeline
    renderMarkdown->>Validator: Check length & validity
    Validator-->>renderMarkdown: Valid/Invalid
    end
    
    alt Invalid Input
        renderMarkdown-->>User: Return text as-is
    else Valid Input
        renderMarkdown->>Sanitization: Strip HTML tags
        Sanitization->>MarkdownParser: Clean input
        MarkdownParser->>Sanitization: Parse to HTML
        
        rect rgb(240, 230, 250)
        Note over Sanitization: Filter & Normalize
        Sanitization->>Sanitization: Apply allowlist
        Sanitization->>Sanitization: Remove dangerous tags
        Sanitization->>Sanitization: Strip event handlers
        Sanitization->>Sanitization: Normalize img styles
        end
        
        Sanitization-->>renderMarkdown: Sanitized HTML
        renderMarkdown-->>User: Safe rendered content
    end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Reasoning: The change introduces security-critical sanitization logic with moderate complexity. While focused to a single file, the logic involves multiple interconnected security concerns (whitelist validation, dangerous content removal, event handler stripping, input validation), each requiring careful scrutiny. The implementation pattern is consistent but security-sensitive, necessitating thorough review of edge cases and bypass prevention.

Possibly Related PRs

• Remove style attributes from markdown-rendered HTML and enhance security #86: Modifies markdown-to-HTML sanitization and image styling in src/lib/ircUtils.tsx with similar removal of dangerous tags and controlled image presentation.

Suggested Reviewers

• matheusfillipe

Poem

🐰 Hop through the code with a sanitized glow,
Stripping the danger and scripts down below,
Whitelists dance where the safe HTML plays,
Images styled in controlled, trusted ways,
Security bundled in each blessed line! ✨

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/markdown

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b33b814 and 33cdf56.

📒 Files selected for processing (1)

• src/lib/ircUtils.tsx (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Preview URL: https://fix-markdown.obsidianirc.pages.dev

Automated deployment preview for the PR in the Cloudflare Pages.