Skip to content

Commit 9791237

Browse files
billtibillti
authored
Sanitize messages (#2401)
Fix CodeQL warning about unsanitized DOM strings
1 parent a25c8ef commit 9791237

File tree

3 files changed

+25
-2
lines changed

3 files changed

+25
-2
lines changed

package-lock.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
"@vscode/markdown-it-katex": "^1.0.0",
3434
"@vscode/test-web": "^0.0.66",
3535
"chai": "^4.3.10",
36+
"dompurify": "^3.2.5",
3637
"esbuild": "^0.25.0",
3738
"eslint": "^9.17.0",
3839
"events": "^3.3.0",

vscode/src/webview/editor.tsx

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
const vscodeApi = acquireVsCodeApi();
77

88
import { render } from "preact";
9+
import DOMPurify from "dompurify";
910
import { CircuitPanel, CircuitProps } from "qsharp-lang/ux";
1011
import { setThemeStylesheet } from "./theme";
1112

@@ -36,10 +37,12 @@ function onMessage(event: any) {
3637
}
3738
switch (message.command) {
3839
case "error": {
40+
const sanitizedMessage = DOMPurify.sanitize(message.props.message);
41+
const sanitizedTitle = DOMPurify.sanitize(message.props.title);
3942
document.body.innerHTML = `
4043
<div class="error">
41-
<h1>${message.props.title}</h1>
42-
<p>${message.props.message}</p>
44+
<h1>${sanitizedTitle}</h1>
45+
<p>${sanitizedMessage}</p>
4346
</div>
4447
`;
4548
return;

0 commit comments

Comments
 (0)