Skip to content

Sanitize HTML rendering in RichText and harden localStorage parsing#33

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/run-security-evaluation
Draft

Sanitize HTML rendering in RichText and harden localStorage parsing#33
Copilot wants to merge 3 commits intomainfrom
copilot/run-security-evaluation

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 6, 2026
edited
Loading

Security audit of src/ surfaced XSS vectors in RichText.jsx and weak input validation in useLocalStorage.js.

RichText.jsx — XSS prevention

  • Sanitize all HTML via DOMPurify.sanitize() before innerHTML assignment and dangerouslySetInnerHTML
  • Add ALLOWED_TAGS allowlist for the dynamic tagName prop to prevent rendering of arbitrary elements
// Before
el.innerHTML = value || '';
dangerouslySetInnerHTML={{ __html: value }}

// After
el.innerHTML = DOMPurify.sanitize(value || '');
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(value) }}

useLocalStorage.js — type validation

  • Validate JSON.parse output against expected type before returning, including Array.isArray() discrimination to catch object/array/null confusion from tampered storage

Dependency

  • Added dompurify@3.3.2 (no known advisories)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gutendocs Ready Ready Preview, Comment Mar 6, 2026 9:01pm

@flexseth
fix: sanitize HTML in RichText with DOMPurify and harden useLocalStorage
2530076 
- Add DOMPurify to sanitize innerHTML and dangerouslySetInnerHTML in RichText.jsx
- Add ALLOWED_TAGS allowlist for dynamic tag name rendering in RichText.jsx
- Add type validation for localStorage parsed values in useLocalStorage.js

Co-authored-by: flexseth <3792502+flexseth@users.noreply.github.com>
@flexseth
fix: improve localStorage type validation for arrays and null
4cee7fe 
Co-authored-by: flexseth <3792502+flexseth@users.noreply.github.com>
Copilot AI changed the title [WIP] Run security evaluation for the project Sanitize HTML rendering in RichText and harden localStorage parsing Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@flexseth flexseth

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flexseth