usememos/memos
1
1
Fork 0
mirror of https://github.com/usememos/memos.git synced 2025-10-09 22:06:53 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: code blocks of unknown languages cause HTML injection (#3711)

Browse source 
* fix: code blocks of unknown languages cause HTML injection

A code block of unknown language (that is, a language not treated as special by Memos and not handled by highlight.js) should fall back on rendering its plaintext content. However, the content is never properly escaped before it is appended to the DOM, and thus any string that happens to contain HTML is unsafely rendered. This commit fixes the issue by ensuring that, when none of the previous cases handle the text, any HTML entities are escaped first.

* Update CodeBlock.tsx to conform to eslint
This commit is contained in:
andrigamerita 2024-07-19 02:32:58 +02:00 committed by GitHub
parent af952807c7
commit d264f45979
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
web/src/components/MemoContent/CodeBlock.tsx
View file

@ -42,7 +42,10 @@ const CodeBlock: React.FC<Props> = ({ language, content }: Props) => {
// Skip error and use default highlighted code.
}
return content;
// escape any HTML entities when rendering original content
return Object.assign(document.createElement("span"), {
textContent: content,
}).innerHTML;
}, [formatedLanguage, content]);
const handleCopyButtonClick = useCallback(() => {