From a4ace56a401ffc8ce0082d7444159dfd5dc28834 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 09:57:59 -0800
Subject: [PATCH] Patch minor XSS opportunity where user can self-XSS
 themselves.  (#574)

Patch minor XSS opportunity where user can self-XSS themselvess. There is not real vuln here as any instance is not public facing
---
 frontend/package.json                                       | 1 +
 .../ChatContainer/ChatHistory/HistoricalMessage/index.jsx   | 6 +++++-
 frontend/yarn.lock                                          | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/frontend/package.json b/frontend/package.json
index ff2698953..86e552ab7 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -16,6 +16,7 @@
     "@microsoft/fetch-event-source": "^2.0.1",
     "@phosphor-icons/react": "^2.0.13",
     "buffer": "^6.0.3",
+    "dompurify": "^3.0.8",
     "he": "^1.2.0",
     "highlight.js": "^11.9.0",
     "lodash.debounce": "^4.0.8",
diff --git a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx
index f0605a372..4637b1cd7 100644
--- a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx
+++ b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx
@@ -6,6 +6,8 @@ import { userFromStorage } from "@/utils/request";
 import Citations from "../Citation";
 import { AI_BACKGROUND_COLOR, USER_BACKGROUND_COLOR } from "@/utils/constants";
 import { v4 } from "uuid";
+import createDOMPurify from "dompurify";
+const DOMPurify = createDOMPurify(window);
 
 const HistoricalMessage = forwardRef(
   (
@@ -45,7 +47,9 @@ const HistoricalMessage = forwardRef(
             ) : (
               <span
                 className={`whitespace-pre-line text-white font-normal text-sm md:text-sm flex flex-col gap-y-1 mt-2`}
-                dangerouslySetInnerHTML={{ __html: renderMarkdown(message) }}
+                dangerouslySetInnerHTML={{
+                  __html: DOMPurify.sanitize(renderMarkdown(message)),
+                }}
               />
             )}
           </div>
diff --git a/frontend/yarn.lock b/frontend/yarn.lock
index e7b223df9..c9181f15f 100644
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@@ -1021,6 +1021,11 @@ doctrine@^3.0.0:
   dependencies:
     esutils "^2.0.2"
 
+dompurify@^3.0.8:
+  version "3.0.8"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437"
+  integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==
+
 electron-to-chromium@^1.4.535:
   version "1.4.576"
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.576.tgz#0c6940fdc0d60f7e34bd742b29d8fa847c9294d1"
-- 
GitLab