Actually sanitize rendered Markdown

author: Kit La Touche <kit@transneptune.net> 2024-11-02 15:35:17 -0400
committer: Kit La Touche <kit@transneptune.net> 2024-11-02 15:35:17 -0400
commit: a5a293558592cf53bf6bdde44e793dd6ab243837 (patch)
tree: bc2f0f0b28be7cb9e93f64022798bd93ddd9133f
parent: a32b0ab6ad7995b8fff98e423793a7c6521ea1e9 (diff)
3 files changed, 47 insertions, 31 deletions
diff --git a/package-lock.json b/package-lock.json
index 5e97f90..7947d20 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,7 +9,8 @@
 			"version": "0.0.1",
 			"dependencies": {
 				"axios": "^1.7.7",
-				"svelte-markdown": "^0.4.1"
+				"dompurify": "^3.1.7",
+				"marked": "^14.1.3"
 			},
 			"devDependencies": {
 				"@skeletonlabs/skeleton": "^2.10.2",
@@ -31,6 +32,10 @@
 				"svelte": "^4.2.19",
 				"tailwindcss": "^3.4.14",
 				"vite": "^5.4.9"
+			},
+			"engines": {
+				"node": ">=22.9.0 <23.0.0",
+				"npm": ">=10.8.3 <11.0.0"
 			}
 		},
 		"node_modules/@alloc/quick-lru": {
@@ -50,6 +55,7 @@
 			"version": "2.3.0",
 			"resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
 			"integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
+			"dev": true,
 			"license": "Apache-2.0",
 			"dependencies": {
 				"@jridgewell/gen-mapping": "^0.3.5",
@@ -658,6 +664,7 @@
 			"version": "0.3.5",
 			"resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz",
 			"integrity": "sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@jridgewell/set-array": "^1.2.1",
@@ -672,6 +679,7 @@
 			"version": "3.1.2",
 			"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
 			"integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">=6.0.0"
@@ -681,6 +689,7 @@
 			"version": "1.2.1",
 			"resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz",
 			"integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==",
+			"dev": true,
 			"license": "MIT",
 			"engines": {
 				"node": ">=6.0.0"
@@ -690,12 +699,14 @@
 			"version": "1.5.0",
 			"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
 			"integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
+			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/@jridgewell/trace-mapping": {
 			"version": "0.3.25",
 			"resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz",
 			"integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@jridgewell/resolve-uri": "^3.1.0",
@@ -1137,6 +1148,7 @@
 			"version": "1.0.6",
 			"resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz",
 			"integrity": "sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw==",
+			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/@types/json-schema": {
@@ -1146,16 +1158,11 @@
 			"dev": true,
 			"license": "MIT"
 		},
-		"node_modules/@types/marked": {
-			"version": "5.0.2",
-			"resolved": "https://registry.npmjs.org/@types/marked/-/marked-5.0.2.tgz",
-			"integrity": "sha512-OucS4KMHhFzhz27KxmWg7J+kIYqyqoW5kdIEI319hqARQQUTqhao3M/F+uFnDXD0Rg72iDDZxZNxq5gvctmLlg==",
-			"license": "MIT"
-		},
 		"node_modules/acorn": {
 			"version": "8.13.0",
 			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.13.0.tgz",
 			"integrity": "sha512-8zSiw54Oxrdym50NlZ9sUusyO1Z1ZchgRLWRaK6c86XJFClyCgFKetdowBg5bKxyp/u+CDBJG4Mpp0m3HLZl9w==",
+			"dev": true,
 			"license": "MIT",
 			"bin": {
 				"acorn": "bin/acorn"
@@ -1259,6 +1266,7 @@
 			"version": "5.3.2",
 			"resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.2.tgz",
 			"integrity": "sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw==",
+			"dev": true,
 			"license": "Apache-2.0",
 			"engines": {
 				"node": ">= 0.4"
@@ -1323,6 +1331,7 @@
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
 			"integrity": "sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==",
+			"dev": true,
 			"license": "Apache-2.0",
 			"engines": {
 				"node": ">= 0.4"
@@ -1505,6 +1514,7 @@
 			"version": "1.0.4",
 			"resolved": "https://registry.npmjs.org/code-red/-/code-red-1.0.4.tgz",
 			"integrity": "sha512-7qJWqItLA8/VPVlKJlFXU+NBlo/qyfs39aJcuMT/2ere32ZqvF5OSxgdM5xOfJJ7O429gg2HM47y8v9P+9wrNw==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@jridgewell/sourcemap-codec": "^1.4.15",
@@ -1592,6 +1602,7 @@
 			"version": "2.3.1",
 			"resolved": "https://registry.npmjs.org/css-tree/-/css-tree-2.3.1.tgz",
 			"integrity": "sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"mdn-data": "2.0.30",
@@ -1679,6 +1690,12 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/dompurify": {
+			"version": "3.1.7",
+			"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.1.7.tgz",
+			"integrity": "sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==",
+			"license": "(MPL-2.0 OR Apache-2.0)"
+		},
 		"node_modules/eastasianwidth": {
 			"version": "0.2.0",
 			"resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -1982,6 +1999,7 @@
 			"version": "3.0.3",
 			"resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
 			"integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@types/estree": "^1.0.0"
@@ -2446,6 +2464,7 @@
 			"version": "3.0.2",
 			"resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.2.tgz",
 			"integrity": "sha512-v3rht/LgVcsdZa3O2Nqs+NMowLOxeOm7Ay9+/ARQ2F+qEoANRcqrjAZKGN0v8ymUetZGgkp26LTnGT7H0Qo9Pg==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@types/estree": "*"
@@ -2580,6 +2599,7 @@
 			"version": "3.0.0",
 			"resolved": "https://registry.npmjs.org/locate-character/-/locate-character-3.0.0.tgz",
 			"integrity": "sha512-SW13ws7BjaeJ6p7Q6CO2nchbYEc3X3J6WrmTTDto7yMPqVSZTUyY5Tjbid+Ab8gLnATtygYtiDIJGQRRn2ZOiA==",
+			"dev": true,
 			"license": "MIT"
 		},
 		"node_modules/locate-path": {
@@ -2616,27 +2636,29 @@
 			"version": "0.30.12",
 			"resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.12.tgz",
 			"integrity": "sha512-Ea8I3sQMVXr8JhN4z+H/d8zwo+tYDgHE9+5G4Wnrwhs0gaK9fXTKx0Tw5Xwsd/bCPTTZNRAdpyzvoeORe9LYpw==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@jridgewell/sourcemap-codec": "^1.5.0"
 			}
 		},
 		"node_modules/marked": {
-			"version": "5.1.2",
-			"resolved": "https://registry.npmjs.org/marked/-/marked-5.1.2.tgz",
-			"integrity": "sha512-ahRPGXJpjMjwSOlBoTMZAK7ATXkli5qCPxZ21TG44rx1KEo44bii4ekgTDQPNRQ4Kh7JMb9Ub1PVk1NxRSsorg==",
+			"version": "14.1.3",
+			"resolved": "https://registry.npmjs.org/marked/-/marked-14.1.3.tgz",
+			"integrity": "sha512-ZibJqTULGlt9g5k4VMARAktMAjXoVnnr+Y3aCqW1oDftcV4BA3UmrBifzXoZyenHRk75csiPu9iwsTj4VNBT0g==",
 			"license": "MIT",
 			"bin": {
 				"marked": "bin/marked.js"
 			},
 			"engines": {
-				"node": ">= 16"
+				"node": ">= 18"
 			}
 		},
 		"node_modules/mdn-data": {
 			"version": "2.0.30",
 			"resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.0.30.tgz",
 			"integrity": "sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==",
+			"dev": true,
 			"license": "CC0-1.0"
 		},
 		"node_modules/merge2": {
@@ -2947,6 +2969,7 @@
 			"version": "3.1.0",
 			"resolved": "https://registry.npmjs.org/periscopic/-/periscopic-3.1.0.tgz",
 			"integrity": "sha512-vKiQ8RRtkl9P+r/+oefh25C3fhybptkHKCZSPlcXiJux2tJF55GnEj3BVn4A5gKfq9NWWXXrxkHBwVPUfH0opw==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@types/estree": "^1.0.0",
@@ -3466,6 +3489,7 @@
 			"version": "1.2.1",
 			"resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
 			"integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+			"dev": true,
 			"license": "BSD-3-Clause",
 			"engines": {
 				"node": ">=0.10.0"
@@ -3641,6 +3665,7 @@
 			"version": "4.2.19",
 			"resolved": "https://registry.npmjs.org/svelte/-/svelte-4.2.19.tgz",
 			"integrity": "sha512-IY1rnGr6izd10B0A8LqsBfmlT5OILVuZ7XsI0vdGPEvuonFV7NYEUK4dAkm9Zg2q0Um92kYjTpS1CAP3Nh/KWw==",
+			"dev": true,
 			"license": "MIT",
 			"dependencies": {
 				"@ampproject/remapping": "^2.2.1",
@@ -3751,19 +3776,6 @@
 				"svelte": "^3.19.0 || ^4.0.0"
 			}
 		},
-		"node_modules/svelte-markdown": {
-			"version": "0.4.1",
-			"resolved": "https://registry.npmjs.org/svelte-markdown/-/svelte-markdown-0.4.1.tgz",
-			"integrity": "sha512-pOlLY6EruKJaWI9my/2bKX8PdTeP5CM0s4VMmwmC2prlOkjAf+AOmTM4wW/l19Y6WZ87YmP8+ZCJCCwBChWjYw==",
-			"license": "MIT",
-			"dependencies": {
-				"@types/marked": "^5.0.1",
-				"marked": "^5.1.2"
-			},
-			"peerDependencies": {
-				"svelte": "^4.0.0"
-			}
-		},
 		"node_modules/tailwindcss": {
 			"version": "3.4.14",
 			"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.14.tgz",
diff --git a/package.json b/package.json
index 8a54766..b2f9e37 100644
--- a/package.json
+++ b/package.json
@@ -2,10 +2,10 @@
 	"name": "hi",
 	"version": "0.0.1",
 	"private": true,
-    "engines" : { 
-        "npm" : ">=10.8.3 <11.0.0",
-        "node" : ">=22.9.0 <23.0.0"
-    },
+	"engines": {
+		"npm": ">=10.8.3 <11.0.0",
+		"node": ">=22.9.0 <23.0.0"
+	},
 	"scripts": {
 		"dev": "vite dev",
 		"build": "vite build",
@@ -37,6 +37,7 @@
 	"type": "module",
 	"dependencies": {
 		"axios": "^1.7.7",
-		"svelte-markdown": "^0.4.1"
+		"dompurify": "^3.1.7",
+		"marked": "^14.1.3"
 	}
 }
diff --git a/ui/lib/components/Message.svelte b/ui/lib/components/Message.svelte
index 75e4cc9..c9dd301 100644
--- a/ui/lib/components/Message.svelte
+++ b/ui/lib/components/Message.svelte
@@ -1,9 +1,12 @@
 <script>
-    import SvelteMarkdown from 'svelte-markdown';
+    import { marked } from 'marked';
+    import DOMPurify from 'dompurify';
 
     export let at;
     export let body;
 
+    let renderedBody = DOMPurify.sanitize(marked.parse(body));
+
     let scroll = (message) => {
         message.scrollIntoView();
     }
@@ -12,7 +15,7 @@
 <div class="message relative">
     <span class="timestamp chip variant-soft absolute top-0 right-0">{at}</span>
     <section use:scroll class="py-1">
-        <SvelteMarkdown source={body} />
+        {@html renderedBody}
     </section>
 </div>
author	Kit La Touche <kit@transneptune.net>	2024-11-02 15:35:17 -0400
committer	Kit La Touche <kit@transneptune.net>	2024-11-02 15:35:17 -0400
commit	a5a293558592cf53bf6bdde44e793dd6ab243837 (patch)
tree	bc2f0f0b28be7cb9e93f64022798bd93ddd9133f
parent	a32b0ab6ad7995b8fff98e423793a7c6521ea1e9 (diff)