fix(markdown,font): sanitize HTML attributes and CSS values to prevent XSS and injection

packages/font/src/font.tsx

@@ -23,6 +23,10 @@ type FontFormat =
 type FontWeight = React.CSSProperties['fontWeight'];
 type FontStyle = React.CSSProperties['fontStyle'];
 
+function sanitizeCssValue(value: string): string {
+  return value.replace(/[';}{\\<>]/g, '');
+}
+
 export interface FontProps {
   /** The font you want to use. NOTE: Do not insert multiple fonts here, use fallbackFontFamily for that */
   fontFamily: string;
@@ -47,29 +51,28 @@ export const Font: React.FC<Readonly<FontProps>> = ({
   fontStyle = 'normal',
   fontWeight = 400,
 }) => {
+  const safeFontFamily = sanitizeCssValue(fontFamily);
+  const safeFontStyle = sanitizeCssValue(String(fontStyle));
+  const safeFontWeight = sanitizeCssValue(String(fontWeight));
+  const safeFallbacks = Array.isArray(fallbackFontFamily)
+    ? fallbackFontFamily.map(sanitizeCssValue)
+    : [sanitizeCssValue(fallbackFontFamily)];
+
   const src = webFont
-    ? `src: url(${webFont.url}) format('${webFont.format}');`
+    ? `src: url(${sanitizeCssValue(webFont.url)}) format('${sanitizeCssValue(webFont.format)}');`
     : '';
 
   const style = `
     @font-face {
-      font-family: '${fontFamily}';
-      font-style: ${fontStyle};
-      font-weight: ${fontWeight};
-      mso-font-alt: '${
-        Array.isArray(fallbackFontFamily)
-          ? fallbackFontFamily[0]
-          : fallbackFontFamily
-      }';
+      font-family: '${safeFontFamily}';
+      font-style: ${safeFontStyle};
+      font-weight: ${safeFontWeight};
+      mso-font-alt: '${safeFallbacks[0]}';
       ${src}
     }
 
     * {
-      font-family: '${fontFamily}', ${
-        Array.isArray(fallbackFontFamily)
-          ? fallbackFontFamily.join(', ')
-          : fallbackFontFamily
-      };
+      font-family: '${safeFontFamily}', ${safeFallbacks.join(', ')};
     }
   `;
   return <style dangerouslySetInnerHTML={{ __html: style }} />;

packages/markdown/src/markdown.spec.tsx

@@ -116,7 +116,7 @@ console.log(\`Hello, $\{name}!\`);
       </Markdown>,
     );
     expect(actualOutput).toMatchInlineSnapshot(`
-      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--$--><div data-id="react-email-markdown"><p><strong style="font:700 23px / 32px &#x27;Roobert PRO&#x27;, system-ui, sans-serif;background:url(&#x27;path/to/image&#x27;)">This is sample bold text in markdown</strong> and <em style="font-style:italic">this is italic text</em></p>
+      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--$--><div data-id="react-email-markdown"><p><strong style="font:700 23px / 32px &quot;Roobert PRO&quot;, system-ui, sans-serif;background:url(&quot;path/to/image&quot;)">This is sample bold text in markdown</strong> and <em style="font-style:italic">this is italic text</em></p>
       </div><!--/$-->"
     `);
   });

packages/markdown/src/markdown.tsx

@@ -3,6 +3,15 @@ import * as React from 'react';
 import { type StylesType, styles } from './styles';
 import { parseCssInJsToInlineCss } from './utils/parse-css-in-js-to-inline-css';
 
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 export type MarkdownProps = Readonly<{
   children: string;
   markdownCustomStyles?: StylesType;
@@ -37,7 +46,7 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
 
     // TODO: Support all options
     renderer.code = ({ text }) => {
-      text = `${text.replace(/\n$/, '')}\n`;
+      text = `${escapeHtml(text).replace(/\n$/, '')}\n`;
 
       return `<pre${
         parseCssInJsToInlineCss(finalStyles.codeBlock) !== ''
@@ -97,8 +106,8 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
     };
 
     renderer.image = ({ href, text, title }) => {
-      return `<img src="${href.replaceAll('"', '&quot;')}" alt="${text.replaceAll('"', '&quot;')}"${
-        title ? ` title="${title}"` : ''
+      return `<img src="${escapeHtml(href)}" alt="${escapeHtml(text)}"${
+        title ? ` title="${escapeHtml(title)}"` : ''
       }${
         parseCssInJsToInlineCss(finalStyles.image) !== ''
           ? ` style="${parseCssInJsToInlineCss(finalStyles.image)}"`
@@ -109,8 +118,8 @@ export const Markdown = React.forwardRef<HTMLDivElement, MarkdownProps>(
     renderer.link = ({ href, title, tokens }) => {
       const text = renderer.parser.parseInline(tokens);
 
-      return `<a href="${href}" target="_blank"${
-        title ? ` title="${title}"` : ''
+      return `<a href="${escapeHtml(href)}" target="_blank"${
+        title ? ` title="${escapeHtml(title)}"` : ''
       }${
         parseCssInJsToInlineCss(finalStyles.link) !== ''
           ? ` style="${parseCssInJsToInlineCss(finalStyles.link)}"`

packages/markdown/src/utils/parse-css-in-js-to-inline-css.ts

@@ -4,7 +4,7 @@ function camelToKebabCase(str: string): string {
 
 function escapeQuotes(value: unknown) {
   if (typeof value === 'string' && value.includes('"')) {
-    return value.replace(/"/g, ''');
+    return value.replace(/"/g, '"');
   }
   return value;
 }