Fix: Implement DOMPurify to sanitize HTML content before rendering (#1498)

### What problem does this PR solve? This PR resolves issue #1491 related to HTML Injection and Cross-Site Scripting (XSS). The issue was caused by the unsafe usage of `dangerouslySetInnerHTML` without proper sanitization of user input. ### Changes - Added DOMPurify dependency. - Updated the following components to use DOMPurify: - `web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx` - `web/src/pages/chat/markdown-content/index.tsx` - `web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx` ### Type of change - [x] Other (please describe): Security Fix
2025-12-08 20:42:30 +08:00 · 2024-07-15 04:24:23 +02:00
parent 2dea8448a6
commit bafe137502
5 changed files with 35 additions and 3 deletions
--- a/web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
+++ b/web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
@ -2,6 +2,7 @@ import Image from '@/components/image';
 import { IChunk } from '@/interfaces/database/knowledge';
 import { Card, Checkbox, CheckboxProps, Flex, Popover, Switch } from 'antd';
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import { useState } from 'react';

 import { ChunkTextMode } from '../../constant';
@ -73,7 +74,9 @@ const ChunkCard = ({
          className={styles.content}
        >
          <div
-            dangerouslySetInnerHTML={{ __html: item.content_with_weight }}
+            dangerouslySetInnerHTML={{
+              __html: DOMPurify.sanitize(item.content_with_weight),
+            }}
            className={classNames({
              [styles.contentEllipsis]: textMode === ChunkTextMode.Ellipse,
            })}