#6 fix potential xss issue

Author: Exortions

client/components/editor/Terminal.tsx

@@ -2,6 +2,8 @@ import React from 'react';
 
 import { Paper, Divider, TextField, InputAdornment } from '@mui/material';
 
+import dompurify from 'dompurify';
+
 import Convert from 'ansi-to-html';
 
 const convert = new Convert();
@@ -50,14 +52,19 @@ export default function Terminal(props: {
                             <br />
 
                             <span className="terminal-command-output">
-                                {command.output.map((output: string): any => (
-                                    <div>
-                                        <td
-                                            dangerouslySetInnerHTML={{ __html: convert.toHtml(output) }}
-                                            style={{ paddingLeft: '16px' }}
-                                        />
-                                    </div>
-                                ))}
+                                {command.output.map((output: string): any => {
+                                    const html = convert.toHtml(output);
+                                    const sanitizer = dompurify.sanitize;
+
+                                    return (
+                                        <div>
+                                            <td
+                                                dangerouslySetInnerHTML={{ __html: sanitizer(html) }}
+                                                style={{ paddingLeft: '16px' }}
+                                            />
+                                        </div>
+                                    );
+                                })}
                             </span>
                         </div>
                     ))}

package.json

@@ -30,6 +30,7 @@
         "body-parser": "^1.20.0",
         "chalk": "4.1.2",
         "cors": "^2.8.5",
+        "dompurify": "^2.4.0",
         "express": "^4.18.1",
         "jsonwebtoken": "^8.5.1",
         "monaco-editor": "^0.34.0",
@@ -42,6 +43,7 @@
     },
     "devDependencies": {
         "@babel/core": "^7.19.3",
+        "@types/dompurify": "^2.3.4",
         "@types/express": "^4.17.14",
         "@types/jest": "^29.1.1",
         "@types/jsonwebtoken": "^8.5.9",

yarn.lock

@@ -1054,6 +1054,13 @@
   resolved "https://registry.yarnpkg.com/@types/cors/-/cors-2.8.12.tgz#6b2c510a7ad7039e98e7b8d3d6598f4359e5c080"
   integrity sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw==
 
+"@types/dompurify@^2.3.4":
+  version "2.3.4"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-2.3.4.tgz#94e997e30338ea24d4c8d08beca91ce4dd17a1b4"
+  integrity sha512-EXzDatIb5EspL2eb/xPGmaC8pePcTHrkDCONjeisusLFrVfl38Pjea/R0YJGu3k9ZQadSvMqW0WXPI2hEo2Ajg==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/eslint-scope@^3.7.3":
   version "3.7.4"
   resolved "https://registry.yarnpkg.com/@types/eslint-scope/-/eslint-scope-3.7.4.tgz#37fc1223f0786c39627068a12e94d6e6fc61de16"
@@ -1262,6 +1269,11 @@
   dependencies:
     "@types/superagent" "*"
 
+"@types/trusted-types@*":
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.2.tgz#fc25ad9943bcac11cceb8168db4f275e0e72e756"
+  integrity sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg==
+
 "@types/uuid@^8.3.4":
   version "8.3.4"
   resolved "https://registry.yarnpkg.com/@types/uuid/-/uuid-8.3.4.tgz#bd86a43617df0594787d38b735f55c805becf1bc"
@@ -2393,6 +2405,11 @@ dom-helpers@^5.0.1:
     "@babel/runtime" "^7.8.7"
     csstype "^3.0.2"
 
+dompurify@^2.4.0:
+  version "2.4.0"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.0.tgz#c9c88390f024c2823332615c9e20a453cf3825dd"
+  integrity sha512-Be9tbQMZds4a3C6xTmz68NlMfeONA//4dOavl/1rNw50E+/QO0KVpbcU0PcaW0nsQxurXls9ZocqFxk8R2mWEA==
+
 dotenv-defaults@^2.0.2:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/dotenv-defaults/-/dotenv-defaults-2.0.2.tgz#6b3ec2e4319aafb70940abda72d3856770ee77ac"