fix(frontend): sanitize markdown HTML with DOMPurify to prevent stored XSS (CWE-79)#521
Closed
sebastiondev wants to merge 54 commits into
Closed
Conversation
…recated SpanAttributes (NVIDIA-AI-Blueprints#377) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
Signed-off-by: Niyati Singal <nsingal@nvidia.com>
* Added MIG Slice support for RTX 6000 pro Signed-off-by: Punit Kumar <punitk@nvidia.com> * Changed to default config in MIG slicing in rtx6000pro config --------- Signed-off-by: Punit Kumar <punitk@nvidia.com> Co-authored-by: niyatisingal <nsingal@nvidia.com>
…VIDIA-AI-Blueprints#385) * changes to docs per bug 5767861 (NVIDIA-AI-Blueprints#328) * Updated launchable with v2.4.0 tag (NVIDIA-AI-Blueprints#318) * updated support matrix (NVIDIA-AI-Blueprints#321) * Document the end‑to‑end flow from query to answer and show how to measure time spent in each stage of the RAG pipeline. (NVIDIA-AI-Blueprints#317) * adding oberservablility * Update docs/debugging.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Update docs/observability.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Add query-to-answer-pipeline doc and observability/debugging updates * Trigger CI * getting build to kick in for observability file * Fix typos in query-to-answer-pipeline.md and ensure file in PR for link check * get rid of PULL_REQUEST_SUMMARY --------- Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * fixed files associated with build (NVIDIA-AI-Blueprints#322) * Add multimodal query integration tests to CI pipeline * changes to docs per bug 5767861 * updated files per bug 5880717 (NVIDIA-AI-Blueprints#327) * updated files per bug 5880717 * Update CONTRIBUTING.md * Update README.md * Update python-client.md * Update readme.md * Update readme.md * Update docs/deploy-helm.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Update docs/deploy-helm.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> --------- Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> Co-authored-by: nkmcalli <nkmcalli@yahoo.com> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: nv-pranjald <150428320+nv-pranjald@users.noreply.github.com> * Fix workflow rule and doc bugs (NVIDIA-AI-Blueprints#331) * Revert back milvus version in conf.md to v2.6.5 * Modify workflow to run on any branch * Fix workflow push rule to run on protected branches * Add files via upload (NVIDIA-AI-Blueprints#326) Found an error in the Q&A section where images in the citation were not being printed. * Doc bug fixes (NVIDIA-AI-Blueprints#339) * updated helm instructions (NVIDIA-AI-Blueprints#333) * updated helm instructions * Update deploy-helm.md * fix broken image link (NVIDIA-AI-Blueprints#334) * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release.heiss/5863956a (NVIDIA-AI-Blueprints#335) * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release. * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release. * Fix broken image link in observability file * Fix CPU seach with GPU index doc * Fix VLLM profile instruction for nemotron-3-nano --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Updated troubleshoot documentation for Elasticsearch connection timeout (NVIDIA-AI-Blueprints#341) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> * updated path to image files so that html output is rendered correctly (NVIDIA-AI-Blueprints#363) * Updated helm instructions for mig-deployment prerequisites (NVIDIA-AI-Blueprints#364) * Updated helm instructions for mig-deployment * Update mig-deployment.md * Doc enhancement for noteboook (NVIDIA-AI-Blueprints#361) * Doc enhancement for noteboook * Update release notes * Update launchable.ipynb (NVIDIA-AI-Blueprints#365) Updated branch name State name changed from "FAILURE"->"FAILED" * Fix typo in release notes --------- Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> * fixed links in deploy-helm and mig-deploymnent (NVIDIA-AI-Blueprints#367) * update artifacts to GA version for v2.4.0 release (NVIDIA-AI-Blueprints#359) * updated files according to style guide (NVIDIA-AI-Blueprints#369) * Revert deploy-helm and mig-deployment to pre-11a31a4 versions (NVIDIA-AI-Blueprints#372) * Fix release date in changelog (NVIDIA-AI-Blueprints#373) * Bump up version to 2.5.0 --------- Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> Co-authored-by: Kurt Heiss <kheiss@nvidia.com> Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> Co-authored-by: nkmcalli <nkmcalli@yahoo.com> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: nv-pranjald <150428320+nv-pranjald@users.noreply.github.com> Co-authored-by: Swapnil Masurekar <smasurekar@nvidia.com>
…rints#351) * feat: add rag_event_ingest example - event-driven document/video ingestion pipeline - Kafka consumer that monitors MinIO object storage for new uploads - Routes documents to RAG Ingestor, videos to VSS for analysis - Docker Compose deployment for Kafka, MinIO, and consumer - Jupyter notebook for end-to-end deployment and testing - Sample test data (PDF document, MP4 video) tracked via Git LFS Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: polish rag_event_ingest notebook - fix sections, descriptions, TOC Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * refactor: consolidate Setup into single cell - clone, deps, API keys Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * refactor: inline check_rag/vss/aidp_status into their usage cells Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * docs: add markdown description before every code cell Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: notebook is standalone entry point, clones RAG repo to ~/rag Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: set COLLECTION_NAME, load .env, simplify query_rag, add expected logs Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: left-align markdown tables in notebook Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: use HTML tables to force left alignment Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: replace API Keys markdown table with HTML for left alignment Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: add storage verification, RAG frontend hints, and configurable consumer prompts - Add verify_file_in_storage() helper to confirm files landed in MinIO - Merge storage verification into document/video ingestion checks - Add RAG Frontend UI link (port 8090) to query sections - Make Kafka consumer VSS prompts configurable via env vars in docker-compose - Install git/git-lfs in notebook setup cell - Index cells in Deploy Continuous Ingestion section Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: skip RAG clone if directory already exists Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: url Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: add continuous ingestion notebook for video and document pipeline Add rag_event_ingest.ipynb notebook that provides an end-to-end walkthrough for: - Deploying NVIDIA RAG stack (NIMs, Milvus, Ingestor, RAG Server) - Deploying NVIDIA VSS stack (VLM, LLM, Embedding, Reranker NIMs) - Deploying continuous ingestion pipeline (Kafka, MinIO, Kafka Consumer) - Configurable video analysis prompts for the Kafka consumer - Uploading documents and videos to MinIO with storage verification - Verifying ingestion via consumer logs - Querying ingested content via RAG API or Frontend UI Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: gpu Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: add ensurepip, fix VSS tag to v2.4.1, use GPUs 2-3 for VSS, update hw req to 4 GPUs Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: tag Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: resolve comment * fix: patch VSS config to use host-mapped ports for shared RAG embedding/reranker The via-server runs on the local_deployment_single_gpu_default network, not nvidia-rag, so it cannot resolve nemoretriever-embedding-ms or nemoretriever-ranking-ms. Route through host.docker.internal with the correct host-mapped ports instead (9080 for embedding, 1976 for reranker). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Co-authored-by: anngu <anngu@nvidia.com> Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix query decomp doc and prompt * fix prompt in helm as well
…s#371) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* confirming presence of switcher text in conf.py file * docs: adjust conf.py for 2.5.0
…current batch ingestion having indexing issues (NVIDIA-AI-Blueprints#389)
…AI-Blueprints#386) * Prompt tuining, low reasoning and reasoning budget * Filter out think token when enable filter is on * Use default prompt * Fix unit test * Add doc for nemotron thinking budget * Add question back in prompt.yaml
… (NVIDIA-AI-Blueprints#392) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…DIA-AI-Blueprints#395) * Add config to enable nemotron parse only extraction in nv-ingest * Refactor nemotron parse only documentation * Remove nemotron parse only references from the previous section
…rs (NVIDIA-AI-Blueprints#402) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* Update langchain-nvidia-ai-endpointsto >=1.1.0 * security: Update langgraph to version 1.10.0
…ueprints#397) * Update NIM wait times and patch VSS embed/rerank models Adjust expected NIM model loading wait from 2-5 min to ~10 min for RTX PRO 6000 hardware. Add explicit patching of VSS config.yaml to align embedding and reranker model names with RAG stack defaults. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Update VSS prompts to match default format and use seconds-based queries - Align consumer VSS prompts with VSS config.yaml defaults (sports-adapted): caption, caption_summarization, summary_aggregation with proper dedup/merge logic - Extract RAG embed/rerank model names dynamically from compose file - Add parse_compose_default helper to avoid hardcoded model names - Change time-range query from MM:SS to seconds format for VSS compatibility Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Clean up notebook: rename variable, remove config overrides - Rename _rag_compose to _rag_compose_path for clarity - Remove hardcoded max_tokens and batch_size patches from VSS config - Simplify time-range query cell comments Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Rename helper function and revert prompts to MM:SS format - Rename parse_compose_default to extract_rag_default_compose_var - Revert VSS prompts to MM:SS timestamp conversion style - Revert time-range query to MM:SS format Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Add GPU assignment table and update NIM container names Update notebook to reflect renamed NIM containers (nemoretriever-* → nemotron-*) and add default GPU assignment table for RTX PRO 6000 / H100 hardware. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com>
Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
…structure (NVIDIA-AI-Blueprints#403) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…y given in argument and adding messages list in logs (NVIDIA-AI-Blueprints#404)
…oint (NVIDIA-AI-Blueprints#412) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* Update: Remove Vss Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * Remove video processing (VSS) from kafka consumer Video handler, video analyzer service, and all VSS-related configuration have been removed to simplify the event ingestion pipeline to document-only processing. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * fix: add USERID Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * fix: update document Signed-off-by: Minh Nguyen <minhngu@nvidia.com> --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Co-authored-by: Minh Nguyen <minhngu@nvidia.com>
* confirming presence of switcher text in conf.py file * Added chunking information
…-elements, table-structure (NVIDIA-AI-Blueprints#410) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> Co-authored-by: Shubhadeep Das <149712532+shubhadeepd@users.noreply.github.com>
…VIDIA-AI-Blueprints#419) * notebook: Add notebook showcasing langchain retriever connector * Update langchain connector version to 1.2.0 * Fix broken link in notebook doc
…oud endp…" and add ranker endpoint in nvdev (NVIDIA-AI-Blueprints#421) This reverts commit 1a11733. Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…IA-AI-Blueprints#407) * Add rag-blueprint agent skill with CLAUDE.md and project config * Update query-and-conversation.md * Update notebooks.md Updated with NVIDIA style guide recommendations --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
* confirming presence of switcher text in conf.py file * Update documentation to reflect name change to NeMo Retriever Library * Update api-rag.md removed GitHub markers * Update change-model.md Removed GitHub markers * Update deploy-helm.md removed GitHub markers * Update deploy-helm.md Remove GitHub markers * Update deploy-helm.md Remove GitHub markers * Update mig-deployment.md removed GitHub markers * Update deploy-helm.md removed extra space
…-AI-Blueprints#429) Co-authored-by: rkharwar-nv <rkharwar@nvidia.com>
* confirming presence of switcher text in conf.py file * Continuous ingestion topic * updated index for continuous ingestion * updated reademe for continuous ingestion * Update continuous-ingestion-object-storage.md added RAG Blueprint * Update continuous-ingestion-object-storage.md Converted first sentence into 2 sentences * Update index.md * Apply suggestion from @nkmcalli Co-authored-by: nkmcalli <nmcallister@nvidia.com> * Update continuous-ingestion-object-storage.md * Update continuous-ingestion-object-storage.md * Update continuous-ingestion-object-storage.md --------- Co-authored-by: nkmcalli <nmcallister@nvidia.com>
…prints#430) * Nemotron 3 super deployment guide and migration guide * Organize gpu requirement and heading for nemotron3 super * Add instruction for updating values.yaml and refractor doc * Add cloud endpoint url in env file * Instruction to export llm max token in docker flow * remove unrequired llm api key from doc * Seprate yaml for nemotron 3 deployment * Remove unnecessary information for local hosted * Simplify docker deployment logs * Remove cuda device from rtx 6000 pro * Add prompt customization instruction in nemotron3 helm section * Instruction for prompt customization * Remove heading for rtx 6000 pro
Signed-off-by: smasurekar <smasurekar@nvidia.com>
…#434) * docs: add RAG accuracy benchmarks documentation * docs: Fix broken links and format in accuracy benchmark doc * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md implmented changes as instructed by Sumit in Slack thread: https://nvidia.slack.com/archives/C09HAQRT1UY/p1773470561423909 --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
* Update changelog to include new additions * Update containers to GA version
…#438) * adding missing accuracy benchmark documentation * Update docs/evaluate.md Co-authored-by: nkmcalli <nmcallister@nvidia.com> --------- Co-authored-by: nkmcalli <nmcallister@nvidia.com>
…-AI-Blueprints#440) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…raversal (CWE-22) The tool_upload_documents and tool_update_documents MCP tools accepted arbitrary file paths from MCP clients without validation. An attacker controlling the MCP client (or an LLM agent making tool calls) could supply paths like /etc/shadow, /proc/self/environ, or ../../sensitive.yaml to read arbitrary files from the server filesystem and exfiltrate them by uploading to the ingestor. Add _validate_file_path() helper that resolves paths via os.path.realpath() (following symlinks) and verifies they reside within the allowed upload directory (MCP_UPLOAD_DIR env var, defaults to cwd). Raises ValueError for paths outside the sandbox. Both tool_upload_documents and tool_update_documents now call this validator before reading any file. Signed-off-by: Sebastion <sebastiondev@users.noreply.github.com>
* Updated Vidore Dataset to Vidore V3 Dataset (NVIDIA-AI-Blueprints#443) * Kheiss/rm early access1 (NVIDIA-AI-Blueprints#445) * remove early access from title * remove early access from title * Update documentation per broken link reporting for Brev and support matrix (NVIDIA-AI-Blueprints#458) * updated versioning method for RAG documentation
…22-mcp-server-file-acbb fix: validate file paths in MCP upload/update tools to prevent path traversal (CWE-22)
Package the GCNV data ingestor deployment into a reusable Helm chart with PVC, service, and namespace templates plus installation guidance for Trident-backed storage. Made-with: Cursor Signed-off-by: Raj Sahoo <raj.sahoo@netapp.com>
…ueprints#490) * docs(perf): add RAG performance measurement methodology Add performance benchmarking documentation covering TTFT and ITL metrics across four datasets (KG-RAG, RagBattlePacket, HotPotQA, BO767) plus synthetic workloads, comparing LLM-49B and VLM nano configurations with reasoning on/off. Signed-off-by: Truong Nguyen <tgnguyen@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> --------- Signed-off-by: Truong Nguyen <tgnguyen@nvidia.com> Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
Add DOMPurify sanitization to useMarkdownRenderer hook to prevent stored XSS via dangerouslySetInnerHTML in CitationTextContent and MessageContent components. Attacker-uploaded documents flow through RAG retrieval into citation content, which is rendered via marked.parse() and dangerouslySetInnerHTML without sanitization. Malicious HTML/JS embedded in document text (e.g. <script>, <img onerror=>, javascript: URIs) executes in the browser of any user viewing citations. The fix applies DOMPurify.sanitize() to the output of marked.parse() in the shared useMarkdownRenderer hook, which is the single rendering path for both CitationTextContent and MessageContent components.
Collaborator
|
Hi @sebastiondev thanks very much for your contribution! Please help rebase these changes on develop branch. |
Contributor
Author
|
Hi @shubhadeepd, thanks for the feedback! I've updated the PR base branch from |
|
Closing this to reduce the open-PR pile-up — we have multiple outstanding security contributions to this repo and that volume is not fair on your review queue. Keeping #529 (CWE-89: escape document source values in delete filter (CWE-89)) as the primary one to focus attention on. Happy to revisit this finding separately later if it is still relevant. Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a stored XSS vulnerability (CWE-79) in the frontend markdown renderer. Output from
marked.parse()is passed throughdangerouslySetInnerHTMLwithout sanitization, allowing malicious HTML/JS embedded in retrieved RAG documents (or any other markdown source rendered through this hook) to execute in other users' browsers.Vulnerability details
frontend/src/hooks/useMarkdownRenderer.tsCitationTextContent.tsxandMessageContent.tsx, which render the hook's output viadangerouslySetInnerHTML.Data flow
useMarkdownRenderercallsmarked.parse(content)— note thatmarkedv5+ removed the built-insanitizeroption, so HTML embedded in the input is preserved as-is in the output.dangerouslySetInnerHTML.A document containing payloads such as
<img src=x onerror=alert(document.cookie)>, raw<script>tags, or<iframe src="https://evil.example">will execute in the browser of any user who views the citation or chat message containing it.Fix
Wrap the markdown output with
DOMPurify.sanitize()inside the hook, so both consumers (CitationTextContentandMessageContent) are covered by a single chokepoint:dompurify(^3.3.3) and@types/dompurifyare added tofrontend/package.json. DOMPurify is the standard, well-audited library for this purpose and uses a strict allowlist by default, stripping<script>, event handler attributes (onerror,onload, …),javascript:URIs,<iframe>, and dangerous SVG/MathML constructs while preserving normal markdown-rendered HTML (bold, italics, links, lists, code blocks, etc.).Tests
Added
frontend/src/hooks/__tests__/useMarkdownRenderer.test.tscovering:XSS prevention
<script>tag strippingonerrorhandler stripping on<img>javascript:URI stripping on<a href>onloadhandler stripping on<svg><iframe>strippingSafe content preservation
**...**), italic (*...*), links, lists all render correctly.All tests pass under
npx vitest.Security analysis
We verified this is exploitable end-to-end:
marked.parse()does not sanitize HTML by default since v5; thesanitizeroption was removed in favor of delegating sanitization to the application.dangerouslySetInnerHTML, so the output is injected unescaped.The fix sanitizes at the central hook so any future caller of
useMarkdownRendereris protected by default.Adversarial review
Before submitting, we tried to disprove this finding. We checked whether the precondition (ability to ingest a document) already grants the attacker equivalent access — it does not: document ingestion is a corpus-level capability, while the XSS executes in another user's authenticated browser session and can exfiltrate session tokens or perform actions on their behalf. We also looked for an upstream sanitizer, a CSP that would block inline handlers, or a parallel safe rendering path — none exist.
marked's own docs explicitly call out that consumers must sanitize the output themselves.Diff scope
Minimal: the hook, its test file, and the
package.json/package-lock.jsonentries fordompurify. No behavior changes for safe markdown content.cc @lewiswigmore