mirror of
https://github.com/alibaba/open-code-review.git
synced 2026-07-09 17:28:58 +00:00
* fix(pages): address CodeQL XSS alerts in markdown rendering Alert #4 (headingId.ts): replace the unreliable single-pass regex used to strip HTML tags (incomplete multi-character sanitization) with DOMPurify. This also fixes a pre-existing mismatch where headings containing HTML entities produced different anchor ids on the TOC vs renderer sides. Alert #5 (MarkdownRenderer.tsx): mermaid runs with securityLevel:'strict' and already sanitizes its own SVG output, so re-running DOMPurify over the whole SVG broke rendering (namespaces, inline <style>, foreignObject labels). Make securityLevel explicit and inject mermaid's trusted output directly, annotated with a codeql suppression comment. * docs(pages): clarify CodeQL XSS suppression justification in MarkdownRenderer The suppression comment claimed the mermaid SVG is 'not raw user input', which understates the trust boundary. The SVG is in fact derived from user-controlled mermaid code; safety relies on mermaid's securityLevel: 'strict' sanitizing the output via DOMPurify. Update the comment to state this accurately and flag that the boundary depends on that setting. |
||
|---|---|---|
| .. | ||
| assets | ||
| components | ||
| content/docs | ||
| hooks | ||
| i18n | ||
| pages | ||
| styles | ||
| utils | ||
| App.tsx | ||
| assets.d.ts | ||
| index.tsx | ||