Sanitize HTML rendered from Markdown (#39)

assets/js/cell/markdown.js

@@ -1,5 +1,6 @@
 import marked from "marked";
 import morphdom from "morphdom";
+import DOMPurify from 'dompurify';
 
 /**
  * Renders markdown content in the given container.
@@ -28,9 +29,10 @@ class Markdown {
 
   __getHtml() {
     const html = marked(this.content);
+    const sanitizedHtml = DOMPurify.sanitize(html);
 
-    if (html) {
-      return html;
+    if (sanitizedHtml) {
+      return sanitizedHtml;
     } else {
       return `
         <div class="text-gray-300">

assets/package-lock.json

@@ -4109,6 +4109,11 @@
         }
       }
     },
+    "dompurify": {
+      "version": "2.2.6",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.2.6.tgz",
+      "integrity": "sha512-7b7ZArhhH0SP6W2R9cqK6RjaU82FZ2UPM7RO8qN1b1wyvC/NY1FNWcX1Pu00fFOAnzEORtwXe4bPaClg6pUybQ=="
+    },
     "domutils": {
       "version": "1.7.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-1.7.0.tgz",

assets/package.json

@@ -10,6 +10,7 @@
     "test:watch": "jest"
   },
   "dependencies": {
+    "dompurify": "^2.2.6",
     "marked": "^1.2.8",
     "monaco-editor": "^0.21.2",
     "morphdom": "^2.6.1",