Commit 9fee861
authored
fix(security): sanitize DOCX HTML output with DOMPurify to prevent XSS (#514)
Malicious DOCX files with embedded script/event-handler tags rendered
via mammoth.convertToHtml() + dangerouslySetInnerHTML without sanitization
could execute arbitrary JavaScript in the user's browser.
Fix: Install DOMPurify and sanitize mammoth's HTML output before
rendering, allowing only safe tags and attributes used by Word documents.
FCE: Cross-site scripting (XSS) via uploaded DOCX files1 parent bbf1320 commit 9fee861
3 files changed
Lines changed: 38 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| 15 | + | |
15 | 16 | | |
16 | 17 | | |
| 18 | + | |
17 | 19 | | |
18 | 20 | | |
19 | 21 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
| 2 | + | |
2 | 3 | | |
3 | 4 | | |
4 | 5 | | |
| |||
28 | 29 | | |
29 | 30 | | |
30 | 31 | | |
31 | | - | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
32 | 41 | | |
33 | 42 | | |
34 | 43 | | |
| |||
0 commit comments