cloud-hosting-platform/site-builder
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sitesmith: harden HtmlBlock with DOMPurify + add Vitest setup

Browse Source 
Closes XSS hole in HtmlBlock by sanitizing user/AI-supplied markup
through DOMPurify before passing to dangerouslySetInnerHTML. Adds
Vitest + jsdom for unit testing with 5 passing tests covering script
stripping, on-event handler removal, javascript: URL blocking, iframe
allowlist, and form/input stripping.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Josh Knapp
2026-05-23 14:13:42 -07:00
parent 606c9b78c8
commit bd15a33984
5 changed files with 3270 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
craft/package.json
View File

@@ -8,20 +8,27 @@
"build": "tsc && vite build",
"preview": "vite preview",
"test": "playwright test tests/site-builder.spec.ts --reporter=list",
"test:headed": "playwright test tests/site-builder.spec.ts --reporter=list --headed"
"test:headed": "playwright test tests/site-builder.spec.ts --reporter=list --headed",
"test:unit": "vitest run",
"test:unit:watch": "vitest"
},
"dependencies": {
"@craftjs/core": "^0.2.10",
"@craftjs/layers": "^0.2.7",
"dompurify": "^3.4.5",
"react": "^18.3.1",
"react-dom": "^18.3.1"
},
"devDependencies": {
"@playwright/test": "^1.59.1",
"@types/dompurify": "^3.0.5",
"@types/react": "^18.3.12",
"@types/react-dom": "^18.3.1",
"@vitejs/plugin-react": "^4.3.4",
"@vitest/ui": "^4.1.7",
"jsdom": "^29.1.1",
"typescript": "^5.6.3",
"vite": "^6.0.5"
"vite": "^6.0.5",
"vitest": "^4.1.7"
}
}