fix: plugin svg icon sanitization (#817)

mirror of https://github.com/siteboon/claudecodeui.git synced 2026-06-03 19:15:37 +08:00

* fix(security)(components): unsanitized svg content injected via `dangerouslys

The plugin icon renderer fetches SVG text from `/api/plugins/.../assets/...` and injects it directly into the DOM using `dangerouslySetInnerHTML` after only checking that the payload starts with `<svg`. This does not remove malicious attributes/elements (e.g., event handlers, scriptable SVG payloads), enabling DOM-based XSS if a plugin asset is malicious or compromised.

Affected files: PluginIcon.tsx

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>

* fix: sanitize plugin svg icons

---------

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Co-authored-by: tuanaiseo <tuanaiseo@gmail.com>
Co-authored-by: Simos Mikelatos <simosmik@gmail.com>

This commit is contained in:

Haile

2026-06-02 14:24:38 +03:00

committed by

GitHub

parent 43c33d5cb1

commit d9e9df183f

3 changed files with 68 additions and 8 deletions

									
										1

package.json
									
												View File
												
				@@ -96,6 +96,7 @@

				    "cmdk": "^1.1.1",

				    "cors": "^2.8.5",

				    "cross-spawn": "^7.0.3",

				    "dompurify": "^3.4.7",

				    "express": "^4.18.2",

				    "fuse.js": "^7.0.0",

				    "gray-matter": "^4.0.3",

fix: plugin svg icon sanitization (#817)

1 package.json Unescape Escape View File

1

package.json

View File