Fix: Implement DOMPurify to sanitize HTML content before rendering (#1498)

### What problem does this PR solve? This PR resolves issue #1491 related to HTML Injection and Cross-Site Scripting (XSS). The issue was caused by the unsafe usage of `dangerouslySetInnerHTML` without proper sanitization of user input. ### Changes - Added DOMPurify dependency. - Updated the following components to use DOMPurify: - `web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx` - `web/src/pages/chat/markdown-content/index.tsx` - `web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx` ### Type of change - [x] Other (please describe): Security Fix
2024-07-15 04:24:23 +02:00
parent 2dea8448a6
commit bafe137502
5 changed files with 35 additions and 3 deletions
--- a/web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
+++ b/web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx
@@ -2,6 +2,7 @@ import Image from '@/components/image';
 import { IChunk } from '@/interfaces/database/knowledge';
 import { Card, Checkbox, CheckboxProps, Flex, Popover, Switch } from 'antd';
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import { useState } from 'react';

 import { ChunkTextMode } from '../../constant';
@@ -73,7 +74,9 @@ const ChunkCard = ({
          className={styles.content}
        >
          <div
-            dangerouslySetInnerHTML={{ __html: item.content_with_weight }}
+            dangerouslySetInnerHTML={{
+              __html: DOMPurify.sanitize(item.content_with_weight),
+            }}
            className={classNames({
              [styles.contentEllipsis]: textMode === ChunkTextMode.Ellipse,
            })}
--- a/web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx
+++ b/web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx
@@ -2,6 +2,7 @@ import SvgIcon from '@/components/svg-icon';
 import { useTranslate } from '@/hooks/commonHooks';
 import { useSelectParserList } from '@/hooks/userSettingHook';
 import { Col, Divider, Empty, Row, Typography } from 'antd';
+import DOMPurify from 'dompurify';
 import { useMemo } from 'react';
 import styles from './index.less';
 import { ImageMap } from './utils';
@@ -39,7 +40,7 @@ const CategoryPanel = ({ chunkMethod }: { chunkMethod: string }) => {
          </Title>
          <p
            dangerouslySetInnerHTML={{
-              __html: item.description,
+              __html: DOMPurify.sanitize(item.description),
            }}
          ></p>
          <Title level={5}>
--- a/web/src/pages/chat/markdown-content/index.tsx
+++ b/web/src/pages/chat/markdown-content/index.tsx
@@ -6,6 +6,7 @@ import { IChunk } from '@/interfaces/database/knowledge';
 import { getExtension } from '@/utils/documentUtils';
 import { InfoCircleOutlined } from '@ant-design/icons';
 import { Button, Flex, Popover, Space } from 'antd';
+import DOMPurify from 'dompurify';
 import { useCallback } from 'react';
 import Markdown from 'react-markdown';
 import reactStringReplace from 'react-string-replace';
@@ -94,7 +95,7 @@ const MarkdownContent = ({
          <Space direction={'vertical'}>
            <div
              dangerouslySetInnerHTML={{
-                __html: chunkItem?.content_with_weight,
+                __html: DOMPurify.sanitize(chunkItem?.content_with_weight),
              }}
              className={styles.chunkContentText}
            ></div>