Fix: Implement DOMPurify to sanitize HTML content before rendering (#1498)

### What problem does this PR solve? This PR resolves issue #1491 related to HTML Injection and Cross-Site Scripting (XSS). The issue was caused by the unsafe usage of `dangerouslySetInnerHTML` without proper sanitization of user input. ### Changes - Added DOMPurify dependency. - Updated the following components to use DOMPurify: - `web/src/pages/add-knowledge/components/knowledge-chunk/components/chunk-card/index.tsx` - `web/src/pages/chat/markdown-content/index.tsx` - `web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx` ### Type of change - [x] Other (please describe): Security Fix
2024-07-15 04:24:23 +02:00
parent 2dea8448a6
commit bafe137502
5 changed files with 35 additions and 3 deletions
--- a/web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx
+++ b/web/src/pages/add-knowledge/components/knowledge-setting/category-panel.tsx
@@ -2,6 +2,7 @@ import SvgIcon from '@/components/svg-icon';
 import { useTranslate } from '@/hooks/commonHooks';
 import { useSelectParserList } from '@/hooks/userSettingHook';
 import { Col, Divider, Empty, Row, Typography } from 'antd';
+import DOMPurify from 'dompurify';
 import { useMemo } from 'react';
 import styles from './index.less';
 import { ImageMap } from './utils';
@@ -39,7 +40,7 @@ const CategoryPanel = ({ chunkMethod }: { chunkMethod: string }) => {
          </Title>
          <p
            dangerouslySetInnerHTML={{
-              __html: item.description,
+              __html: DOMPurify.sanitize(item.description),
            }}
          ></p>
          <Title level={5}>