Skip to content

fix: escape user input in md2html to prevent XSS in live preview#244

Open
mrunalC27 wants to merge 1 commit into
Mohit-368:mainfrom
mrunalC27:fix/xss-preview-md2html
Open

fix: escape user input in md2html to prevent XSS in live preview#244
mrunalC27 wants to merge 1 commit into
Mohit-368:mainfrom
mrunalC27:fix/xss-preview-md2html

Conversation

@mrunalC27

Copy link
Copy Markdown

Description

Closes #243. md2html() only escaped content inside fenced code blocks, leaving every other user-entered field (project name, description, features, etc.) unescaped before being inserted into the HTML rendered via dangerouslySetInnerHTML in PreviewPanel.jsx.
This allowed arbitrary HTML/JS typed into any field to execute immediately in the live preview.

Fix

Escape the full markdown input up front with the existing esc() helper, before any of the markdown-to-HTML transforms run — the same approach already used for code blocks. esc() only touches &, <, >, so it doesn't interfere with any markdown syntax characters (*, #, `, [, ], (, ), |, -) that the transform pipeline relies on.

Testing

  • Verified a payload like <img src=x onerror=alert(1)> now renders as literal visible text instead of executing.
  • Verified headings, bold, links (including URLs with & in query params), tables, and fenced code blocks all still render correctly
    and are not double-escaped.
  • npm run build passes with no errors.

Note

This was previously self-XSS only (no import/share-link feature currently loads another user's data), but is worth fixing regardless
as defense-in-depth before any such feature is added.

@netlify

netlify Bot commented Jul 3, 2026

Copy link
Copy Markdown

Deploy Preview for makeareadme ready!

Name Link
🔨 Latest commit c78430a
🔍 Latest deploy log https://app.netlify.com/projects/makeareadme/deploys/6a4756472599be0008b043e4
😎 Deploy Preview https://deploy-preview-244--makeareadme.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Live README preview vulnerable to XSS via unescaped user input in md2html()

1 participant