feat: add rehype-sanitize for enhanced Markdown security

- Added rehype-sanitize as a dependency to sanitize Markdown content. - Updated the Markdown component to include rehype-sanitize in the rehypePlugins for improved security against XSS attacks.
2026-01-30 06:12:03 +00:00 · 2025-12-22 20:22:40 +01:00
parent a0fd19fe17
commit 0b8a79bc25
3 changed files with 34 additions and 2 deletions
--- a/apps/ui/src/components/ui/markdown.tsx
+++ b/apps/ui/src/components/ui/markdown.tsx
@@ -1,5 +1,6 @@
 import ReactMarkdown from 'react-markdown';
 import rehypeRaw from 'rehype-raw';
+import rehypeSanitize from 'rehype-sanitize';
 import { cn } from '@/lib/utils';

 interface MarkdownProps {
@@ -44,7 +45,7 @@ export function Markdown({ children, className }: MarkdownProps) {
        className
      )}
    >
-      <ReactMarkdown rehypePlugins={[rehypeRaw]}>{children}</ReactMarkdown>
+      <ReactMarkdown rehypePlugins={[rehypeRaw, rehypeSanitize]}>{children}</ReactMarkdown>
    </div>
  );
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,6 +14,7 @@
      ],
      "dependencies": {
        "cross-spawn": "^7.0.6",
+        "rehype-sanitize": "^6.0.0",
        "tree-kill": "^1.2.2"
      },
      "devDependencies": {
@@ -1208,7 +1209,7 @@
    },
    "node_modules/@electron/node-gyp": {
      "version": "10.2.0-electron.1",
-      "resolved": "git+https://github.com/electron/node-gyp.git#06b29aafb7708acef8b3669835c8a7857ebc92d2",
+      "resolved": "git+ssh://git@github.com/electron/node-gyp.git#06b29aafb7708acef8b3669835c8a7857ebc92d2",
      "integrity": "sha512-4MSBTT8y07YUDqf69/vSh80Hh791epYqGtWHO3zSKhYFwQg+gx9wi1PqbqP6YqC4WMsNxZ5l9oDmnWdK5pfCKQ==",
      "dev": true,
      "license": "MIT",
@@ -9932,6 +9933,21 @@
        "url": "https://opencollective.com/unified"
      }
    },
+    "node_modules/hast-util-sanitize": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/hast-util-sanitize/-/hast-util-sanitize-5.0.2.tgz",
+      "integrity": "sha512-3yTWghByc50aGS7JlGhk61SPenfE/p1oaFeNwkOOyrscaOkMGrcW9+Cy/QAIOBpZxP1yqDIzFMR0+Np0i0+usg==",
+      "license": "MIT",
+      "dependencies": {
+        "@types/hast": "^3.0.0",
+        "@ungap/structured-clone": "^1.0.0",
+        "unist-util-position": "^5.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
    "node_modules/hast-util-to-jsx-runtime": {
      "version": "2.3.6",
      "resolved": "https://registry.npmjs.org/hast-util-to-jsx-runtime/-/hast-util-to-jsx-runtime-2.3.6.tgz",
@@ -13663,6 +13679,20 @@
        "url": "https://opencollective.com/unified"
      }
    },
+    "node_modules/rehype-sanitize": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/rehype-sanitize/-/rehype-sanitize-6.0.0.tgz",
+      "integrity": "sha512-CsnhKNsyI8Tub6L4sm5ZFsme4puGfc6pYylvXo1AeqaGbjOYyzNv3qZPwvs0oMJ39eryyeOdmxwUIo94IpEhqg==",
+      "license": "MIT",
+      "dependencies": {
+        "@types/hast": "^3.0.0",
+        "hast-util-sanitize": "^5.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/unified"
+      }
+    },
    "node_modules/remark-parse": {
      "version": "11.0.0",
      "resolved": "https://registry.npmjs.org/remark-parse/-/remark-parse-11.0.0.tgz",
--- a/package.json
+++ b/package.json
@@ -53,6 +53,7 @@
  },
  "dependencies": {
    "cross-spawn": "^7.0.6",
+    "rehype-sanitize": "^6.0.0",
    "tree-kill": "^1.2.2"
  },
  "devDependencies": {