Skip to content

Potential fix for code scanning alert no. 93: DOM text reinterpreted as HTML #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juliuskrah merged 2 commits into from
May 15, 2026
Merged

Potential fix for code scanning alert no. 93: DOM text reinterpreted as HTML #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c13c37a
Potential fix for code scanning alert no. 93: DOM text reinterpreted …
juliuskrah May 15, 2026
b170a1b
fix(admin): add dompurify dependency to package manifests
juliuskrah May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion gitstore-admin/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion gitstore-admin/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@
"react-beautiful-dnd": "^13.1.1",
"react-dom": "^18.2.0",
"urql": "^5.0.1",
"uuid": "^9.0.1"
"uuid": "^9.0.1",
"dompurify": "^3.2.6"
},
"devDependencies": {
"@graphql-codegen/cli": "^7.0.0",
Expand Down
5 changes: 4 additions & 1 deletion gitstore-admin/src/components/shared/MarkdownEditor.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Copyright (c) 2026 GitStore contributors

import React, { useState } from 'react';
import DOMPurify from 'dompurify';
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Add the new sanitizer package to admin dependencies

This change introduces import DOMPurify from 'dompurify', but gitstore-admin/package.json and package-lock.json do not include dompurify, so a clean install/build of the admin app cannot resolve this module and will fail at compile/bundle time. Because CI and new environments rely on declared dependencies, this breaks the feature universally until the dependency is added and locked.

Useful? React with 👍 / 👎.


interface MarkdownEditorProps {
value: string;
Expand Down Expand Up @@ -95,6 +96,8 @@ export function MarkdownEditor({
return html;
};

const sanitizedPreviewHtml = DOMPurify.sanitize(renderMarkdown(value));
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid sanitizing markdown when preview is hidden

Computing sanitizedPreviewHtml unconditionally causes renderMarkdown(value) and DOMPurify.sanitize(...) to run on every render, including normal typing mode when preview is off. Previously this work happened only in the preview branch, so this introduces avoidable per-keystroke overhead that can noticeably slow editing for larger markdown inputs.

Useful? React with 👍 / 👎.


return (
<div style={styles.container}>
{/* Toolbar */}
Expand Down Expand Up @@ -220,7 +223,7 @@ export function MarkdownEditor({
) : (
<div
style={styles.preview}
dangerouslySetInnerHTML={{ __html: renderMarkdown(value) }}
dangerouslySetInnerHTML={{ __html: sanitizedPreviewHtml }}
/>
)}
</div>
Expand Down
Loading