From 7685144b0c500472c5c9318b9bf785672e784596 Mon Sep 17 00:00:00 2001 From: Haileyesus Date: Mon, 23 Feb 2026 11:16:20 +0300 Subject: [PATCH] fix(markdown-preview): disable raw HTML rendering in preview Issue - Markdown preview used rehype-raw, which interprets raw HTML from document content. - For untrusted markdown (user files, copied LLM output), this could allow script-capable HTML payloads to execute in preview. Change - Removed rehypeRaw from MarkdownPreview. - Kept rehype-katex enabled so math rendering still works. - Result: raw HTML is no longer interpreted as DOM; it is treated as markdown text. Reproduction (before fix) 1. Open/create any .md file in the code editor. 2. Add: 3. Toggle Markdown Preview. 4. Observe script execution (alert) in vulnerable behavior. Expected after fix - The same payload does not execute; raw HTML is not rendered as active DOM. Validation - npm run typecheck (passes). --- .../view/subcomponents/markdown/MarkdownPreview.tsx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/components/code-editor/view/subcomponents/markdown/MarkdownPreview.tsx b/src/components/code-editor/view/subcomponents/markdown/MarkdownPreview.tsx index b56052d..96c8d89 100644 --- a/src/components/code-editor/view/subcomponents/markdown/MarkdownPreview.tsx +++ b/src/components/code-editor/view/subcomponents/markdown/MarkdownPreview.tsx @@ -2,7 +2,6 @@ import { useMemo } from 'react'; import type { Components } from 'react-markdown'; import ReactMarkdown from 'react-markdown'; import rehypeKatex from 'rehype-katex'; -import rehypeRaw from 'rehype-raw'; import remarkGfm from 'remark-gfm'; import remarkMath from 'remark-math'; import MarkdownCodeBlock from './MarkdownCodeBlock'; @@ -39,7 +38,7 @@ const markdownPreviewComponents: Components = { export default function MarkdownPreview({ content }: MarkdownPreviewProps) { const remarkPlugins = useMemo(() => [remarkGfm, remarkMath], []); - const rehypePlugins = useMemo(() => [rehypeRaw, rehypeKatex], []); + const rehypePlugins = useMemo(() => [rehypeKatex], []); return (