fix(math-renderer): sanitize html from katex

serlo · Dec 23, 2024 · 834d64b · 834d64b
1 parent b1fbe7c
commit 834d64b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/apps/web/package.json b/apps/web/package.json
@@ -52,6 +52,7 @@
     "autoprefixer": "^10.4.20",
     "canvas-confetti": "^1.9.3",
     "clsx": "^2.1.1",
+    "dompurify": "^3.2.3",
     "fast-xml-parser": "^4.5.0",
     "fp-ts": "^2.16.9",
     "graphiql": "^3.7.2",

diff --git a/packages/editor/src/plugins/text/static-components/static-math.tsx b/packages/editor/src/plugins/text/static-components/static-math.tsx
@@ -1,5 +1,6 @@
 import { sanitizeLatex } from '@editor/plugins/text/utils/sanitize-latex'
 import { cn } from '@editor/utils/cn'
+import DOMPurify from 'dompurify'
 import KaTeX from 'katex'
 // eslint-disable-next-line import/no-unassigned-import
 import 'katex/contrib/mhchem'
@@ -67,10 +68,13 @@ export function StaticMath({ src, inline }: StaticMathProps) {
           },
         })
       : ''
+
+    // Even though we can trust the html created by Katex we sanitize the html as a second guard against XSS.
+    const sanitizedHtml = DOMPurify.sanitize(html)
     return (
       <span
         className="inline-block py-1 [page-break-inside:avoid]"
-        dangerouslySetInnerHTML={{ __html: html }}
+        dangerouslySetInnerHTML={{ __html: sanitizedHtml }}
       />
     )
   }

diff --git a/yarn.lock b/yarn.lock
@@ -5925,6 +5925,7 @@ __metadata:
     canvas-confetti: ^1.9.3
     clsx: ^2.1.1
     cross-env: ^7.0.3
+    dompurify: ^3.2.3
     dotenv: ^16.4.5
     eslint: ^9.14.0
     eslint-config-next: ^15.0.3