fix(security): add rehype-sanitize to prevent stored XSS in chat messages#4115
Open
0xcucumbersalad wants to merge 1 commit into
Open
fix(security): add rehype-sanitize to prevent stored XSS in chat messages#41150xcucumbersalad wants to merge 1 commit into
0xcucumbersalad wants to merge 1 commit into
Conversation
…ages The chat markdown renderer used rehype-raw to parse inline HTML in messages but had no sanitizer. An attacker could inject an <iframe srcdoc="<script>..."> payload into a thread message's part.text field. Since srcdoc iframes inherit the parent origin, the embedded script could call /api/auth/get-session with credentials and exfiltrate the victim's session token — full account takeover. Add rehype-sanitize (GitHub's default schema) after rehype-raw in the plugin pipeline. This strips dangerous elements (iframe, script, object, embed, form) and attributes (srcdoc, on*) while preserving safe HTML that LLMs commonly produce (tables, details, summary, code blocks). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Critical: Stored XSS via chat message markdown — session hijacking.
The chat markdown renderer (
markdown.tsx:132) usedrehype-rawto parse inline HTML but had no sanitizer. An attacker could store an<iframe srcdoc="<script>...">payload in a thread message'spart.textfield. When any org member viewed the thread:ReactMarkdown+rehypeRawparses the raw HTML into DOM elements<iframe srcdoc="...">is rendered — no component override blocks itsrcdociframes inherit the parent's origin/api/auth/get-sessionwith credentials → raw session tokenFix
Add
rehype-sanitize(GitHub's default schema) afterrehype-rawin the plugin pipeline:The default schema strips
iframe,script,object,embed,form, and dangerous attributes (srcdoc,on*) while preserving safe HTML that LLMs produce (tables,<details>,<summary>, inline formatting).Test plan
bun run fmt— passesbun run lint— passes (0 errors)bun run check— passes (pre-existing NATS type errors only)<details>/<summary>blocks still work<iframe srcdoc>payloads are stripped from rendered messages<script>tags in messages are strippedon*event handlers in messages are stripped🤖 Generated with Claude Code
Summary by cubic
Fix stored XSS in chat message rendering by sanitizing inline HTML. Adds
rehype-sanitizeafterrehype-rawto block dangerous tags/attributes and prevent session hijacking.srcdoc, andon*handlers.Written for commit 230ea86. Summary will update on new commits.