The gno.land website has 3 main dependencies:
- UmbrellaJs for DOM operations
- MarkedJs for Markdown to html compilation
- HighlightJs for golang syntax highlighting
- DOMPurify to sanitize html (and avoid xss)
Some security considerations:
| Umbrella Js | Marked Js | HighlightJs | DOMPurify | |
|---|---|---|---|---|
| dependencies | 0 | 0 | 0 | 0 |
| sanitize content | no | throws an error | yes |
Best Practices:
- When using MarkedJs: Always run the output of the marked compiler inside
DOMPurify.sanitizebefore inserting it in the dom with.innerHtml =. - When using DOMPurify: Preferably use
{ USE_PROFILES: { html: true } }option to allow html only. Content passed in the sanitizer must not be modified afterwards, and must directly be inserted in the DOM with innerHtml. Do not callDOMPurify.sanitizewith the output of a previousDOMPurify.sanitizeto avoid any mutation XSS risks. - When using HighlightJs: always configure it before with
hljs.configure({throwUnescapedHTML: true})to throw before inserting html in the page if any unexpected html children are detected. The check is done here.