fix(frontend): sanitize rendered markdown to prevent stored XSS (CWE-79)#522
Closed
sebastiondev wants to merge 54 commits into
Closed
Conversation
…recated SpanAttributes (NVIDIA-AI-Blueprints#377) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
Signed-off-by: Niyati Singal <nsingal@nvidia.com>
* Added MIG Slice support for RTX 6000 pro Signed-off-by: Punit Kumar <punitk@nvidia.com> * Changed to default config in MIG slicing in rtx6000pro config --------- Signed-off-by: Punit Kumar <punitk@nvidia.com> Co-authored-by: niyatisingal <nsingal@nvidia.com>
…VIDIA-AI-Blueprints#385) * changes to docs per bug 5767861 (NVIDIA-AI-Blueprints#328) * Updated launchable with v2.4.0 tag (NVIDIA-AI-Blueprints#318) * updated support matrix (NVIDIA-AI-Blueprints#321) * Document the end‑to‑end flow from query to answer and show how to measure time spent in each stage of the RAG pipeline. (NVIDIA-AI-Blueprints#317) * adding oberservablility * Update docs/debugging.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Update docs/observability.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Add query-to-answer-pipeline doc and observability/debugging updates * Trigger CI * getting build to kick in for observability file * Fix typos in query-to-answer-pipeline.md and ensure file in PR for link check * get rid of PULL_REQUEST_SUMMARY --------- Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * fixed files associated with build (NVIDIA-AI-Blueprints#322) * Add multimodal query integration tests to CI pipeline * changes to docs per bug 5767861 * updated files per bug 5880717 (NVIDIA-AI-Blueprints#327) * updated files per bug 5880717 * Update CONTRIBUTING.md * Update README.md * Update python-client.md * Update readme.md * Update readme.md * Update docs/deploy-helm.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> * Update docs/deploy-helm.md Co-authored-by: nkmcalli <nkmcalli@yahoo.com> --------- Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> Co-authored-by: nkmcalli <nkmcalli@yahoo.com> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: nv-pranjald <150428320+nv-pranjald@users.noreply.github.com> * Fix workflow rule and doc bugs (NVIDIA-AI-Blueprints#331) * Revert back milvus version in conf.md to v2.6.5 * Modify workflow to run on any branch * Fix workflow push rule to run on protected branches * Add files via upload (NVIDIA-AI-Blueprints#326) Found an error in the Q&A section where images in the citation were not being printed. * Doc bug fixes (NVIDIA-AI-Blueprints#339) * updated helm instructions (NVIDIA-AI-Blueprints#333) * updated helm instructions * Update deploy-helm.md * fix broken image link (NVIDIA-AI-Blueprints#334) * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release.heiss/5863956a (NVIDIA-AI-Blueprints#335) * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release. * Add release note for Audio model deployment on Kubernetes on RTX‑6000 Pro is not supported in this release. * Fix broken image link in observability file * Fix CPU seach with GPU index doc * Fix VLLM profile instruction for nemotron-3-nano --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Updated troubleshoot documentation for Elasticsearch connection timeout (NVIDIA-AI-Blueprints#341) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> * updated path to image files so that html output is rendered correctly (NVIDIA-AI-Blueprints#363) * Updated helm instructions for mig-deployment prerequisites (NVIDIA-AI-Blueprints#364) * Updated helm instructions for mig-deployment * Update mig-deployment.md * Doc enhancement for noteboook (NVIDIA-AI-Blueprints#361) * Doc enhancement for noteboook * Update release notes * Update launchable.ipynb (NVIDIA-AI-Blueprints#365) Updated branch name State name changed from "FAILURE"->"FAILED" * Fix typo in release notes --------- Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> * fixed links in deploy-helm and mig-deploymnent (NVIDIA-AI-Blueprints#367) * update artifacts to GA version for v2.4.0 release (NVIDIA-AI-Blueprints#359) * updated files according to style guide (NVIDIA-AI-Blueprints#369) * Revert deploy-helm and mig-deployment to pre-11a31a4 versions (NVIDIA-AI-Blueprints#372) * Fix release date in changelog (NVIDIA-AI-Blueprints#373) * Bump up version to 2.5.0 --------- Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> Co-authored-by: Kurt Heiss <kheiss@nvidia.com> Co-authored-by: rkharwar-nv <rkharwar@nvidia.com> Co-authored-by: nkmcalli <nkmcalli@yahoo.com> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: nv-pranjald <150428320+nv-pranjald@users.noreply.github.com> Co-authored-by: Swapnil Masurekar <smasurekar@nvidia.com>
…rints#351) * feat: add rag_event_ingest example - event-driven document/video ingestion pipeline - Kafka consumer that monitors MinIO object storage for new uploads - Routes documents to RAG Ingestor, videos to VSS for analysis - Docker Compose deployment for Kafka, MinIO, and consumer - Jupyter notebook for end-to-end deployment and testing - Sample test data (PDF document, MP4 video) tracked via Git LFS Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: polish rag_event_ingest notebook - fix sections, descriptions, TOC Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * refactor: consolidate Setup into single cell - clone, deps, API keys Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * refactor: inline check_rag/vss/aidp_status into their usage cells Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * docs: add markdown description before every code cell Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: notebook is standalone entry point, clones RAG repo to ~/rag Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: set COLLECTION_NAME, load .env, simplify query_rag, add expected logs Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: left-align markdown tables in notebook Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: use HTML tables to force left alignment Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: replace API Keys markdown table with HTML for left alignment Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: add storage verification, RAG frontend hints, and configurable consumer prompts - Add verify_file_in_storage() helper to confirm files landed in MinIO - Merge storage verification into document/video ingestion checks - Add RAG Frontend UI link (port 8090) to query sections - Make Kafka consumer VSS prompts configurable via env vars in docker-compose - Install git/git-lfs in notebook setup cell - Index cells in Deploy Continuous Ingestion section Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: skip RAG clone if directory already exists Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: url Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: add continuous ingestion notebook for video and document pipeline Add rag_event_ingest.ipynb notebook that provides an end-to-end walkthrough for: - Deploying NVIDIA RAG stack (NIMs, Milvus, Ingestor, RAG Server) - Deploying NVIDIA VSS stack (VLM, LLM, Embedding, Reranker NIMs) - Deploying continuous ingestion pipeline (Kafka, MinIO, Kafka Consumer) - Configurable video analysis prompts for the Kafka consumer - Uploading documents and videos to MinIO with storage verification - Verifying ingestion via consumer logs - Querying ingested content via RAG API or Frontend UI Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: gpu Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: add ensurepip, fix VSS tag to v2.4.1, use GPUs 2-3 for VSS, update hw req to 4 GPUs Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * fix: tag Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * feat: resolve comment * fix: patch VSS config to use host-mapped ports for shared RAG embedding/reranker The via-server runs on the local_deployment_single_gpu_default network, not nvidia-rag, so it cannot resolve nemoretriever-embedding-ms or nemoretriever-ranking-ms. Route through host.docker.internal with the correct host-mapped ports instead (9080 for embedding, 1976 for reranker). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Co-authored-by: anngu <anngu@nvidia.com> Co-authored-by: Cursor <cursoragent@cursor.com>
* Fix query decomp doc and prompt * fix prompt in helm as well
…s#371) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* confirming presence of switcher text in conf.py file * docs: adjust conf.py for 2.5.0
…current batch ingestion having indexing issues (NVIDIA-AI-Blueprints#389)
…AI-Blueprints#386) * Prompt tuining, low reasoning and reasoning budget * Filter out think token when enable filter is on * Use default prompt * Fix unit test * Add doc for nemotron thinking budget * Add question back in prompt.yaml
… (NVIDIA-AI-Blueprints#392) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…DIA-AI-Blueprints#395) * Add config to enable nemotron parse only extraction in nv-ingest * Refactor nemotron parse only documentation * Remove nemotron parse only references from the previous section
…rs (NVIDIA-AI-Blueprints#402) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* Update langchain-nvidia-ai-endpointsto >=1.1.0 * security: Update langgraph to version 1.10.0
…ueprints#397) * Update NIM wait times and patch VSS embed/rerank models Adjust expected NIM model loading wait from 2-5 min to ~10 min for RTX PRO 6000 hardware. Add explicit patching of VSS config.yaml to align embedding and reranker model names with RAG stack defaults. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Update VSS prompts to match default format and use seconds-based queries - Align consumer VSS prompts with VSS config.yaml defaults (sports-adapted): caption, caption_summarization, summary_aggregation with proper dedup/merge logic - Extract RAG embed/rerank model names dynamically from compose file - Add parse_compose_default helper to avoid hardcoded model names - Change time-range query from MM:SS to seconds format for VSS compatibility Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Clean up notebook: rename variable, remove config overrides - Rename _rag_compose to _rag_compose_path for clarity - Remove hardcoded max_tokens and batch_size patches from VSS config - Simplify time-range query cell comments Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Rename helper function and revert prompts to MM:SS format - Rename parse_compose_default to extract_rag_default_compose_var - Revert VSS prompts to MM:SS timestamp conversion style - Revert time-range query to MM:SS format Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor * Add GPU assignment table and update NIM container names Update notebook to reflect renamed NIM containers (nemoretriever-* → nemotron-*) and add default GPU assignment table for RTX PRO 6000 / H100 hardware. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com>
Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
…structure (NVIDIA-AI-Blueprints#403) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…y given in argument and adding messages list in logs (NVIDIA-AI-Blueprints#404)
…oint (NVIDIA-AI-Blueprints#412) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
* Update: Remove Vss Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * Remove video processing (VSS) from kafka consumer Video handler, video analyzer service, and all VSS-related configuration have been removed to simplify the event ingestion pipeline to document-only processing. Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Made-with: Cursor Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * fix: add USERID Signed-off-by: Minh Nguyen <minhngu@nvidia.com> * fix: update document Signed-off-by: Minh Nguyen <minhngu@nvidia.com> --------- Signed-off-by: Minh Nguyen <minhngu@nvidia.com> Co-authored-by: Minh Nguyen <minhngu@nvidia.com>
* confirming presence of switcher text in conf.py file * Added chunking information
…-elements, table-structure (NVIDIA-AI-Blueprints#410) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com> Co-authored-by: Shubhadeep Das <149712532+shubhadeepd@users.noreply.github.com>
…VIDIA-AI-Blueprints#419) * notebook: Add notebook showcasing langchain retriever connector * Update langchain connector version to 1.2.0 * Fix broken link in notebook doc
…oud endp…" and add ranker endpoint in nvdev (NVIDIA-AI-Blueprints#421) This reverts commit 1a11733. Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…IA-AI-Blueprints#407) * Add rag-blueprint agent skill with CLAUDE.md and project config * Update query-and-conversation.md * Update notebooks.md Updated with NVIDIA style guide recommendations --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
* confirming presence of switcher text in conf.py file * Update documentation to reflect name change to NeMo Retriever Library * Update api-rag.md removed GitHub markers * Update change-model.md Removed GitHub markers * Update deploy-helm.md removed GitHub markers * Update deploy-helm.md Remove GitHub markers * Update deploy-helm.md Remove GitHub markers * Update mig-deployment.md removed GitHub markers * Update deploy-helm.md removed extra space
…-AI-Blueprints#429) Co-authored-by: rkharwar-nv <rkharwar@nvidia.com>
* confirming presence of switcher text in conf.py file * Continuous ingestion topic * updated index for continuous ingestion * updated reademe for continuous ingestion * Update continuous-ingestion-object-storage.md added RAG Blueprint * Update continuous-ingestion-object-storage.md Converted first sentence into 2 sentences * Update index.md * Apply suggestion from @nkmcalli Co-authored-by: nkmcalli <nmcallister@nvidia.com> * Update continuous-ingestion-object-storage.md * Update continuous-ingestion-object-storage.md * Update continuous-ingestion-object-storage.md --------- Co-authored-by: nkmcalli <nmcallister@nvidia.com>
…prints#430) * Nemotron 3 super deployment guide and migration guide * Organize gpu requirement and heading for nemotron3 super * Add instruction for updating values.yaml and refractor doc * Add cloud endpoint url in env file * Instruction to export llm max token in docker flow * remove unrequired llm api key from doc * Seprate yaml for nemotron 3 deployment * Remove unnecessary information for local hosted * Simplify docker deployment logs * Remove cuda device from rtx 6000 pro * Add prompt customization instruction in nemotron3 helm section * Instruction for prompt customization * Remove heading for rtx 6000 pro
Signed-off-by: smasurekar <smasurekar@nvidia.com>
…#434) * docs: add RAG accuracy benchmarks documentation * docs: Fix broken links and format in accuracy benchmark doc * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md * Update accuracy-benchmarks.md implmented changes as instructed by Sumit in Slack thread: https://nvidia.slack.com/archives/C09HAQRT1UY/p1773470561423909 --------- Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
* Update changelog to include new additions * Update containers to GA version
…#438) * adding missing accuracy benchmark documentation * Update docs/evaluate.md Co-authored-by: nkmcalli <nmcallister@nvidia.com> --------- Co-authored-by: nkmcalli <nmcallister@nvidia.com>
…-AI-Blueprints#440) Signed-off-by: Swapnil Masurekar <smasurekar@nvidia.com>
…raversal (CWE-22) The tool_upload_documents and tool_update_documents MCP tools accepted arbitrary file paths from MCP clients without validation. An attacker controlling the MCP client (or an LLM agent making tool calls) could supply paths like /etc/shadow, /proc/self/environ, or ../../sensitive.yaml to read arbitrary files from the server filesystem and exfiltrate them by uploading to the ingestor. Add _validate_file_path() helper that resolves paths via os.path.realpath() (following symlinks) and verifies they reside within the allowed upload directory (MCP_UPLOAD_DIR env var, defaults to cwd). Raises ValueError for paths outside the sandbox. Both tool_upload_documents and tool_update_documents now call this validator before reading any file. Signed-off-by: Sebastion <sebastiondev@users.noreply.github.com>
* Updated Vidore Dataset to Vidore V3 Dataset (NVIDIA-AI-Blueprints#443) * Kheiss/rm early access1 (NVIDIA-AI-Blueprints#445) * remove early access from title * remove early access from title * Update documentation per broken link reporting for Brev and support matrix (NVIDIA-AI-Blueprints#458) * updated versioning method for RAG documentation
…22-mcp-server-file-acbb fix: validate file paths in MCP upload/update tools to prevent path traversal (CWE-22)
Package the GCNV data ingestor deployment into a reusable Helm chart with PVC, service, and namespace templates plus installation guidance for Trident-backed storage. Made-with: Cursor Signed-off-by: Raj Sahoo <raj.sahoo@netapp.com>
…ueprints#490) * docs(perf): add RAG performance measurement methodology Add performance benchmarking documentation covering TTFT and ITL metrics across four datasets (KG-RAG, RagBattlePacket, HotPotQA, BO767) plus synthetic workloads, comparing LLM-49B and VLM nano configurations with reasoning on/off. Signed-off-by: Truong Nguyen <tgnguyen@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> * Update docs/perf-benchmarks.md Co-authored-by: Kurt Heiss <kheiss@nvidia.com> --------- Signed-off-by: Truong Nguyen <tgnguyen@nvidia.com> Co-authored-by: Kurt Heiss <kheiss@nvidia.com>
Markdown produced by useMarkdownRenderer is injected via dangerouslySetInnerHTML in MessageContent and CitationTextContent. Because marked.parse() does not sanitize HTML, an attacker who can influence the content (e.g. by uploading a poisoned document that is later retrieved or echoed by the LLM) can inject <script>, event handlers, or javascript: URLs that execute in the user's browser. Run the parsed HTML through DOMPurify before returning it from the hook so every consumer is protected by default. Add unit tests covering the script-tag, event-handler, and javascript:-URL vectors.
Collaborator
|
Hi @sebastiondev thanks very much for your contribution! Please help rebase these changes on develop branch. |
Contributor
Author
|
Hi @shubhadeepd, thanks for the feedback! I've updated the PR's base branch to I'm hitting an OAuth scope limitation when force-pushing the rebased branch — GitHub's token doesn't have the |
|
Closing this to reduce the open-PR pile-up — we have multiple outstanding security contributions to this repo and that volume is not fair on your review queue. Keeping #529 (CWE-89: escape document source values in delete filter (CWE-89)) as the primary one to focus attention on. Happy to revisit this finding separately later if it is still relevant. Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The frontend renders LLM responses and citation snippets as markdown, then injects the resulting HTML into the DOM via
dangerouslySetInnerHTML. The shareduseMarkdownRendererhook returnedmarked.parse(content)directly without sanitization. Modernmarked(v15) does not strip raw HTML, event-handler attributes, orjavascript:URLs by default, so any HTML embedded in markdown reaches the DOM verbatim.This results in stored XSS (CWE-79) for any user who views chat answers or citations derived from attacker-influenced content.
frontend/src/hooks/useMarkdownRenderer.tsfrontend/src/components/chat/MessageContent.tsx(line 32) —dangerouslySetInnerHTMLfrontend/src/components/citations/CitationTextContent.tsx(line 33) —dangerouslySetInnerHTMLData flow
MessageContent/CitationTextContentcallrenderMarkdown(content)and set the result viadangerouslySetInnerHTML.<script>,<img onerror=...>, or[link](javascript:...)executes in the victim's browser, in the application origin — allowing session/state exfiltration or authenticated API calls on the victim's behalf.Fix
Sanitize the HTML produced by
markedwith DOMPurify inside theuseMarkdownRendererhook before returning it. Applying the fix at the central hook covers bothMessageContentandCitationTextContentwith one change and keeps future consumers safe by default.Added
dompurifyand@types/dompurifytofrontend/package.json. DOMPurify is the de-facto standard sanitizer for this scenario, is actively maintained by Cure53, and preserves benign markdown-rendered HTML (headings, lists, code blocks, links tohttp(s):, etc.) while neutralising script-execution vectors.Tests
Added
frontend/src/hooks/__tests__/useMarkdownRenderer.test.tscovering the three primary XSS vectors plus a regression check that benign formatting still works:<script>tags are stripped from rendered output.onerror=) are removed.javascript:URLs in markdown links are neutralised.**bold**/_italic_still render as<strong>/<em>.Existing
MessageContentandCitationTextContenttests mock the hook and continue to pass — no behavioural change for trusted markdown.Security analysis
The fix mitigates exploitation by removing the dangerous HTML before it ever reaches
dangerouslySetInnerHTML. Preconditions for the original issue are realistic in a RAG deployment:I checked for parallel render paths that might reintroduce the issue and didn't find any: both call sites go through
useMarkdownRenderer, and there are no other usages ofmarked.parseinfrontend/src.Adversarial review
Before submitting, I tried to disprove this finding. I considered whether React's default escaping, a Content Security Policy, or
marked's own options would already block the payload. React only escapes for normal JSX children —dangerouslySetInnerHTMLdeliberately opts out, which is exactly what's used here. I did not find a CSP header configured for the frontend that would block inline event handlers orjavascript:URLs.markedv15's defaults render raw HTML as-is; there is nosanitizeoption in modern versions (it was removed in v8). I also considered whether the precondition (corpus upload) already grants equivalent access — it does not: uploading a document does not by itself give the attacker JS execution in another user's browser session, which is the new capability this XSS provides.cc @lewiswigmore