fix: sanitize dangerouslySetInnerHTML with DOMPurify to prevent XSS (#33)

abhizipstack · claude · web-flow · commit 8efcdbfa4837 · 2026-04-02T15:45:33.000+05:30
Add DOMPurify sanitization to the ANSI log renderer in no-code-model.
The parseLog function converts ANSI escape codes to HTML via
ansi-to-html, then renders with dangerouslySetInnerHTML. Without
sanitization, malicious content in logs could execute scripts.

- Install dompurify dependency
- Wrap ansiToHtml.toHtml() output with DOMPurify.sanitize()
- Only instance of dangerouslySetInnerHTML in the entire frontend

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -18,6 +18,7 @@
     "cronstrue": "^3.0.0",
     "crypto-js": "^4.2.0",
     "dagre": "^0.8.5",
+    "dompurify": "^3.3.3",
     "echarts": "^6.0.0",
     "framer-motion": "^12.23.12",
     "immer": "^10.0.2",
diff --git a/frontend/src/ide/editor/no-code-model/no-code-model.jsx b/frontend/src/ide/editor/no-code-model/no-code-model.jsx
@@ -14,6 +14,7 @@ import { useEffect, useRef, useState } from "react";
 import { Resizable } from "react-resizable";
 import Cookies from "js-cookie";
 import AnsiToHtml from "ansi-to-html";
+import DOMPurify from "dompurify";
 import yaml from "js-yaml";
 import {
   CalendarOutlined,
@@ -358,7 +359,7 @@ function NoCodeModel({ nodeData }) {
     });
     updateSpec(newSpec);
   };
-  const parseLog = (log) => ansiToHtml.toHtml(log);
+  const parseLog = (log) => DOMPurify.sanitize(ansiToHtml.toHtml(log));
 
   const hideGenAIAndTimeTravelTabs = true;
   const BOTTOM_TABS = [
