Prevent XSS attack by filtering src attribute on markdown input

apache · Oct 16, 2022 · 3b66f59 · 3b66f59
1 parent 6f2e76b
commit 3b66f59
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
@@ -30,7 +30,7 @@ interface SafeMarkdownProps {
 
 function isSafeMarkup(node: MarkdownAbstractSyntaxTree) {
   return node.type === 'html' && node.value
-    ? /href="(javascript|vbscript|file):.*"/gim.test(node.value) === false
+    ? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value)
     : true;
 }