mirror of https://github.com/langgenius/dify.git
fix: sanitizer svg to avoid xss (#16608)
This commit is contained in:
Joel
GitHub
parent
acd7fead87
commit
061a765b7d
|
|
@ -10,6 +10,7 @@ import SyntaxHighlighter from 'react-syntax-highlighter'
|
|||
import { atelierHeathLight } from 'react-syntax-highlighter/dist/esm/styles/hljs'
|
||||
import { Component, memo, useMemo, useRef, useState } from 'react'
|
||||
import type { CodeComponent } from 'react-markdown/lib/ast-to-react'
|
||||
import SVGRenderer from './svg-gallery'
|
||||
import cn from '@/utils/classnames'
|
||||
import CopyBtn from '@/app/components/base/copy-btn'
|
||||
import SVGBtn from '@/app/components/base/svg'
|
||||
|
|
@ -118,13 +119,13 @@ const CodeBlock: CodeComponent = memo(({ inline, className, children, ...props }
|
|||
</div>
|
||||
)
|
||||
}
|
||||
// else if (language === 'svg' && isSVG) {
|
||||
// return (
|
||||
// <ErrorBoundary>
|
||||
// <SVGRenderer content={content} />
|
||||
// </ErrorBoundary>
|
||||
// )
|
||||
// }
|
||||
else if (language === 'svg' && isSVG) {
|
||||
return (
|
||||
<ErrorBoundary>
|
||||
<SVGRenderer content={content} />
|
||||
</ErrorBoundary>
|
||||
)
|
||||
}
|
||||
else {
|
||||
return (
|
||||
<SyntaxHighlighter
|
||||
|
|
@ -224,16 +225,8 @@ const Link = ({ node, ...props }: any) => {
|
|||
}
|
||||
}
|
||||
|
||||
function escapeSVGTags(htmlString: string): string {
|
||||
return htmlString.replace(/(<svg[\s\S]*?>)([\s\S]*?)(<\/svg>)/gi, (match: string, openTag: string, innerContent: string, closeTag: string): string => {
|
||||
return openTag.replace(/</g, '<').replace(/>/g, '>')
|
||||
+ innerContent.replace(/</g, '<').replace(/>/g, '>')
|
||||
+ closeTag.replace(/</g, '<').replace(/>/g, '>')
|
||||
})
|
||||
}
|
||||
|
||||
export function Markdown(props: { content: string; className?: string }) {
|
||||
const latexContent = preprocessLaTeX(escapeSVGTags(props.content))
|
||||
const latexContent = preprocessLaTeX(props.content)
|
||||
return (
|
||||
<div className={cn(props.className, 'markdown-body')}>
|
||||
<ReactMarkdown
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
import { useEffect, useRef, useState } from 'react'
|
||||
import { SVG } from '@svgdotjs/svg.js'
|
||||
import DOMPurify from 'dompurify'
|
||||
import ImagePreview from '@/app/components/base/image-uploader/image-preview'
|
||||
|
||||
export const SVGRenderer = ({ content }: { content: string }) => {
|
||||
|
|
@ -44,7 +45,7 @@ export const SVGRenderer = ({ content }: { content: string }) => {
|
|||
|
||||
svgRef.current.style.width = `${Math.min(originalWidth, 298)}px`
|
||||
|
||||
const rootElement = draw.svg(content)
|
||||
const rootElement = draw.svg(DOMPurify.sanitize(content))
|
||||
|
||||
rootElement.click(() => {
|
||||
setImagePreview(svgToDataURL(svgElement as Element))
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@
|
|||
"crypto-js": "^4.2.0",
|
||||
"dayjs": "^1.11.7",
|
||||
"decimal.js": "^10.4.3",
|
||||
"dompurify": "^3.2.4",
|
||||
"echarts": "^5.5.1",
|
||||
"echarts-for-react": "^3.0.2",
|
||||
"elkjs": "^0.9.3",
|
||||
|
|
|
|||
Loading…
Reference in New Issue