pengjunjie/ragflow
1
0
Fork 1
mirror of https://github.com/infiniflow/ragflow.git synced 2025-12-21 13:32:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Implement DOMPurify to sanitize HTML content before rendering (#1498)

Browse Source 
### What problem does this PR solve?

This PR resolves issue #1491 related to HTML Injection and Cross-Site
Scripting (XSS). The issue was caused by the unsafe usage of
`dangerouslySetInnerHTML` without proper sanitization of user input.

### Changes
- Added DOMPurify dependency.
- Updated the following components to use DOMPurify:
-
`web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx`
  - `web/src/pages/chat/markdown-content/index.tsx`
-
`web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx`

### Type of change

- [x] Other (please describe): Security Fix
This commit is contained in:
Dani Servian
2024-07-15 04:24:23 +02:00
committed by GitHub
parent 2dea8448a6
commit bafe137502
5 changed files with 35 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
View File

@ -2,6 +2,7 @@ import Image from '@/components/image';
import { IChunk } from '@/interfaces/database/knowledge';
import { Card, Checkbox, CheckboxProps, Flex, Popover, Switch } from 'antd';
import classNames from 'classnames';
import DOMPurify from 'dompurify';
import { useState } from 'react';
import { ChunkTextMode } from '../../constant';
@ -73,7 +74,9 @@ const ChunkCard = ({
className={styles.content}
>
<div
dangerouslySetInnerHTML={{ __html: item.content_with_weight }}
dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(item.content_with_weight),
}}
className={classNames({
[styles.contentEllipsis]: textMode === ChunkTextMode.Ellipse,
})}

3
web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx
View File

@ -2,6 +2,7 @@ import SvgIcon from '@/components/svg-icon';
import { useTranslate } from '@/hooks/commonHooks';
import { useSelectParserList } from '@/hooks/userSettingHook';
import { Col, Divider, Empty, Row, Typography } from 'antd';
import DOMPurify from 'dompurify';
import { useMemo } from 'react';
import styles from './index.less';
import { ImageMap } from './utils';
@ -39,7 +40,7 @@ const CategoryPanel = ({ chunkMethod }: { chunkMethod: string }) => {
</Title>
<p
dangerouslySetInnerHTML={{
__html: item.description,
__html: DOMPurify.sanitize(item.description),
}}
></p>
<Title level={5}>