Skip to content

Security: Prevent HTML/CSS injection in markdown rendering #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ValwareIRC merged 4 commits into from
Oct 16, 2025
Merged

Security: Prevent HTML/CSS injection in markdown rendering #87

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
05232f2
Remove style attributes from markdown-rendered HTML and enhance security
ValwareIRC Oct 16, 2025
7c93728
Ensure all img tags have controlled max-height styling
ValwareIRC Oct 16, 2025
ab62c65
lint
ValwareIRC Oct 16, 2025
33cdf56
Strip all HTML tags from input before markdown processing
ValwareIRC Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 64 additions & 4 deletions src/lib/ircUtils.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,24 +240,84 @@ export function renderMarkdown(
return `<a href="${sanitizedHref}"${titleAttr} target="_blank" rel="noopener noreferrer" class="${linkClass}">${text}</a>`;
};

// Strip all HTML tags from input before markdown processing
const textWithoutHtml = text.replace(/<[^>]*>/g, "");

marked.setOptions({
breaks: true,
gfm: true,
renderer: renderer,
});

// Parse markdown to HTML
const html = marked.parse(text) as string;

// Additional security: remove any remaining script tags or dangerous content that might have slipped through
const sanitizedHtml = html
const html = marked.parse(textWithoutHtml) as string;

// Additional security: only allow specific markdown-related HTML tags
// Define allowed HTML tags for markdown rendering
const allowedTags = new Set([
"p",
"br",
"strong",
"b",
"em",
"i",
"h1",
"h2",
"h3",
"h4",
"h5",
"h6",
"ul",
"ol",
"li",
"blockquote",
"code",
"pre",
"a",
"img",
"hr",
"table",
"thead",
"tbody",
"tr",
"th",
"td",
"del",
"ins",
]);

// Remove dangerous content first
let sanitizedHtml = html
.replace(/<script[^>]*>.*?<\/script>/gi, "")
.replace(/<iframe[^>]*>.*?<\/iframe>/gi, "")
.replace(/<object[^>]*>.*?<\/object>/gi, "")
.replace(/<embed[^>]*>.*?<\/embed>/gi, "")
.replace(/<style[^>]*>.*?<\/style>/gi, "")
.replace(/<link[^>]*\/?>/gi, "")
.replace(/<meta[^>]*\/?>/gi, "")
.replace(/on\w+="[^"]*"/gi, "") // Remove event handlers
.replace(/javascript:/gi, "#");

// Remove any HTML tags that are not in the allowed list
sanitizedHtml = sanitizedHtml.replace(
/<\/?([a-zA-Z][a-zA-Z0-9]*)(?:\s[^>]*)?>/g,
(match, tagName) => {
return allowedTags.has(tagName.toLowerCase()) ? match : "";
},
);

// Remove all style attributes from allowed tags and ensure img tags have controlled styling
sanitizedHtml = sanitizedHtml.replace(/<([^>]+)>/g, (match, content) => {
// For img tags, ensure they have our controlled style
if (content.trim().startsWith("img")) {
// Remove any existing style and add our controlled one
const withoutStyle = content.replace(/\s+style="[^"]*"/gi, "");
return `<${withoutStyle} style="max-height: 150px;">`;
}
// Remove style attributes from all other tags
return `<${content.replace(/\s+style="[^"]*"/gi, "")}>`;
});

// Return a div with dangerouslySetInnerHTML
return (
<div
Expand Down