XSS

datocms · Nov 29, 2024 · 6944cc0 · 6944cc0
1 parent becd450
commit 6944cc0
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -85,7 +85,8 @@
     "style-object-to-css-string": "^1.1.3",
     "svgo": "^3.3.2",
     "typedoc": "^0.26.7",
-    "unist-util-visit": "^5.0.0"
+    "unist-util-visit": "^5.0.0",
+    "xss": "^1.0.15"
   },
   "devDependencies": {
     "@astrojs/ts-plugin": "^1.10.4",

diff --git a/src/pages/marketplace/plugins/i/[...rest]/index.astro b/src/pages/marketplace/plugins/i/[...rest]/index.astro
@@ -17,6 +17,7 @@ import { query } from './_graphql';
 import s from './_style.module.css';
 import { isVideo } from '~/components/VideoPlayer/graphql';
 import { DraftModeQueryListener } from '~/components/DraftModeQueryListener';
+import xss from 'xss';
 
 const variables = {
   slug: Astro.params.rest!,
@@ -78,7 +79,7 @@ const avatarUrl = getGravatarUrl(page.author.email);
 
           <Prose>
             <div class={s.documentation} data-monospace="true">
-              <Markdown of={page.readme} />
+              <Markdown of={xss(page.readme)} />
             </div>
           </Prose>
         </div>