Use DOMPurify to sanitize HTML in typeahead results before rendering

2026-04-14 00:14:04 +09:00 · 2023-12-07 11:11:45 +02:00
parent 54aa0d4873
commit 0a0dde5727
4 changed files with 33 additions and 2 deletions
--- a/src/lib/Prompts.svelte
+++ b/src/lib/Prompts.svelte
@@ -1,4 +1,5 @@
 <script lang="ts">
+  import DOMPurify from 'dompurify'
  import Typeahead from 'svelte-typeahead'
  import prompts from '../awesome-chatgpt-prompts/prompts.csv'

@@ -29,7 +30,11 @@
      let:result
    >
      <a class="dropdown-item" href="#top" on:click|preventDefault title="{result.original.prompt}">
-        {@html result.string}
+        <!--
+          Sanitize result.string because Typeahead introduces HTML tags and prompt
+          strings are untrusted.
+        -->
+        {@html DOMPurify.sanitize(result.string, { ALLOWED_TAGS: ['mark'] })}
      </a>
    </Typeahead>
  </div>