Replace escapeHTML (used by mistake) with xss for sanitization

MAGICGrants · Jun 3, 2024 · d89fe9b · d89fe9b
1 parent 85ead11
commit d89fe9b
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 6 deletions.
diff --git a/components/BigDumbMarkdown.tsx b/components/BigDumbMarkdown.tsx
@@ -1,11 +1,11 @@
-import escapeHTML from 'escape-html'
+import xss from 'xss'
 import markdownStyles from './markdown-styles.module.css'
 
 export default function BigDumbMarkdown({ content }: { content: string }) {
   return (
     <div className="flex flex-col items-center py-8">
       <div className={markdownStyles['markdown']}>
-        <div dangerouslySetInnerHTML={{ __html: escapeHTML(content) }} />
+        <div dangerouslySetInnerHTML={{ __html: xss(content) }} />
       </div>
     </div>
   )

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -42,7 +42,8 @@
     "stripe": "^15.9.0",
     "swr": "^2.2.5",
     "watch": "^0.13.0",
-    "wicg-inert": "^3.1.2"
+    "wicg-inert": "^3.1.2",
+    "xss": "^1.0.15"
   },
   "devDependencies": {
     "@tailwindcss/line-clamp": "^0.4.4",

diff --git a/pages/projects/[slug].tsx b/pages/projects/[slug].tsx
@@ -15,7 +15,7 @@ import Link from 'next/link'
 import ShareButtons from '../../components/ShareButtons'
 import Progress from '../../components/Progress'
 import { fetchPostJSON, fetchGetJSONAuthedBTCPay, fetchGetJSONAuthedStripe } from '../../utils/api-helpers'
-import escapeHTML from 'escape-html'
+import xss from 'xss'
 
 type SingleProjectPageProps = {
   project: ProjectItem
@@ -138,7 +138,7 @@ const Project: NextPage<SingleProjectPageProps> = ({ project, projects, stats })
             </p >
             <ShareButtons project={project} />
             <hr />
-            {content && <div dangerouslySetInnerHTML={{ __html: escapeHTML(content) }} />}
+            {content && <div dangerouslySetInnerHTML={{ __html: xss(content) }} />}
           </div >
         </article >
       </div >