Potential fix for code scanning alert no. 93: DOM text reinterpreted as HTML#160
Conversation
…as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c13c37a7e0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // Copyright (c) 2026 GitStore contributors | ||
|
|
||
| import React, { useState } from 'react'; | ||
| import DOMPurify from 'dompurify'; |
There was a problem hiding this comment.
This change introduces import DOMPurify from 'dompurify', but gitstore-admin/package.json and package-lock.json do not include dompurify, so a clean install/build of the admin app cannot resolve this module and will fail at compile/bundle time. Because CI and new environments rely on declared dependencies, this breaks the feature universally until the dependency is added and locked.
Useful? React with 👍 / 👎.
| return html; | ||
| }; | ||
|
|
||
| const sanitizedPreviewHtml = DOMPurify.sanitize(renderMarkdown(value)); |
There was a problem hiding this comment.
Computing sanitizedPreviewHtml unconditionally causes renderMarkdown(value) and DOMPurify.sanitize(...) to run on every render, including normal typing mode when preview is off. Previously this work happened only in the preview branch, so this introduces avoidable per-keystroke overhead that can noticeably slow editing for larger markdown inputs.
Useful? React with 👍 / 👎.
1 participant
Potential fix for https://github.com/gitstore-dev/GitStore/security/code-scanning/93
Use a proven HTML sanitizer on the rendered markdown output before passing it to
dangerouslySetInnerHTML.Best fix with minimal behavior change:
gitstore-admin/src/components/shared/MarkdownEditor.tsx, importDOMPurify.renderMarkdown(value)result usingDOMPurify.sanitize(...).dangerouslySetInnerHTML.This addresses all variants because all tainted flows converge at the same sink in
MarkdownEditor.Suggested fixes powered by Copilot Autofix. Review carefully before merging.