sitesmith: harden HtmlBlock with DOMPurify + add Vitest setup

Browse Source

Closes XSS hole in HtmlBlock by sanitizing user/AI-supplied markup
through DOMPurify before passing to dangerouslySetInnerHTML. Adds
Vitest + jsdom for unit testing with 5 passing tests covering script
stripping, on-event handler removal, javascript: URL blocking, iframe
allowlist, and form/input stripping.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

...

This commit is contained in:

Josh Knapp

2026-05-23 14:13:42 -07:00

parent 606c9b78c8

commit bd15a33984

5 changed files with 3270 additions and 25 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

3189

craft/package-lock.json generated Normal file

File diff suppressed because it is too large Load Diff