airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MAESTRO: Add DOMPurify XSS defense-in-depth to TerminalPreview (closes PR #896)

Browse Source 
PR #896 identified a valid XSS concern in TerminalPreview.tsx but was
broken (missing DOMPurify import and dependency). The existing
escapeXML:true on AnsiToHtml already mitigates the vector, but
DOMPurify adds defense-in-depth sanitization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Alex Newman
2026-02-05 18:14:46 -05:00
parent e6af8d207a
commit d0b4c7ee59
5 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ui/viewer/components/TerminalPreview.tsx
+7 -1
View File
@@ -1,5 +1,6 @@
import React, { useMemo, useRef, useLayoutEffect, useState } from 'react';
import AnsiToHtml from 'ansi-to-html';
import DOMPurify from 'dompurify';
interface TerminalPreviewProps {
content: string;
@@ -26,7 +27,12 @@ export function TerminalPreview({ content, isLoading = false, className = '' }:
scrollTopRef.current = preRef.current.scrollTop;
}
if (!content) return '';
return ansiConverter.toHtml(content);
const convertedHtml = ansiConverter.toHtml(content);
return DOMPurify.sanitize(convertedHtml, {
ALLOWED_TAGS: ['span', 'div', 'br'],
ALLOWED_ATTR: ['style', 'class'],
ALLOW_DATA_ATTR: false
});
}, [content]);
// Restore scroll position after render