xinyin025/LangBot
1
0
Fork 0
mirror of https://github.com/langbot-app/LangBot.git synced 2026-06-13 01:06:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Add rehype-sanitize after rehypeRaw in all ReactMarkdown usages:
- PluginReadme.tsx (plugin README rendering)
- DebugDialog.tsx (debug chat message rendering)
- NewVersionDialog.tsx (release notes rendering)

This prevents injection of raw HTML (e.g. <iframe srcdoc>) that
could steal session tokens and API credentials from localStorage.

Fixes GHSA-w8gq-g4pc-xh3h
This commit is contained in:
Junyan Chin
2026-03-01 17:01:23 +08:00
committed by GitHub
parent 8600d0a8e7
commit 614621ab7b
5 changed files with 43 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/app/home/components/new-version-dialog/NewVersionDialog.tsx
View File

@@ -4,6 +4,7 @@ import { useTranslation } from 'react-i18next';
import ReactMarkdown from 'react-markdown';
import remarkGfm from 'remark-gfm';
import rehypeRaw from 'rehype-raw';
import rehypeSanitize from 'rehype-sanitize';
import rehypeHighlight from 'rehype-highlight';
import i18n from 'i18next';
import { ExternalLink } from 'lucide-react';
@@ -62,7 +63,7 @@ export default function NewVersionDialog({
<div className="markdown-body max-w-none text-sm">
<ReactMarkdown
remarkPlugins={[remarkGfm]}
rehypePlugins={[rehypeRaw, rehypeHighlight]}
rehypePlugins={[rehypeRaw, rehypeSanitize, rehypeHighlight]}
components={{
ul: ({ children }) => <ul className="list-disc">{children}</ul>,
ol: ({ children }) => (

2
web/src/app/home/pipelines/components/debug-dialog/DebugDialog.tsx
View File

@@ -25,6 +25,7 @@ import ReactMarkdown from 'react-markdown';
import remarkGfm from 'remark-gfm';
import rehypeHighlight from 'rehype-highlight';
import rehypeRaw from 'rehype-raw';
import rehypeSanitize from 'rehype-sanitize';
import rehypeSlug from 'rehype-slug';
import rehypeAutolinkHeadings from 'rehype-autolink-headings';
import '@/styles/github-markdown.css';
@@ -622,6 +623,7 @@ export default function DebugDialog({
remarkPlugins={[remarkGfm]}
rehypePlugins={[
rehypeRaw,
rehypeSanitize,
rehypeHighlight,
rehypeSlug,
[

2
web/src/app/home/plugins/components/plugin-installed/plugin-readme/PluginReadme.tsx
View File

@@ -4,6 +4,7 @@ import { useTranslation } from 'react-i18next';
import ReactMarkdown from 'react-markdown';
import remarkGfm from 'remark-gfm';
import rehypeRaw from 'rehype-raw';
import rehypeSanitize from 'rehype-sanitize';
import rehypeHighlight from 'rehype-highlight';
import rehypeSlug from 'rehype-slug';
import rehypeAutolinkHeadings from 'rehype-autolink-headings';
@@ -51,6 +52,7 @@ export default function PluginReadme({
remarkPlugins={[remarkGfm]}
rehypePlugins={[
rehypeRaw,
rehypeSanitize,
rehypeHighlight,
rehypeSlug,
[