diff --git a/packages/docs-theme/package.json b/packages/docs-theme/package.json
index f9208ec980..8b049b3ec1 100644
--- a/packages/docs-theme/package.json
+++ b/packages/docs-theme/package.json
@@ -40,6 +40,7 @@
"@blueprintjs/select": "workspace:^",
"@documentalist/client": "^5.0.0",
"classnames": "^2.3.1",
+ "dompurify": "^3.0.8",
"fuzzaldrin-plus": "^0.6.0",
"tslib": "~2.6.2"
},
diff --git a/packages/docs-theme/src/components/block.tsx b/packages/docs-theme/src/components/block.tsx
index ee8ba3dc29..e54996ab42 100644
--- a/packages/docs-theme/src/components/block.tsx
+++ b/packages/docs-theme/src/components/block.tsx
@@ -21,6 +21,7 @@ import * as React from "react";
import { Classes, Code, H3 } from "@blueprintjs/core";
import type { TagRendererMap } from "../tags";
+import DOMPurify from "dompurify";
export function renderBlock(
/** the block to render */
@@ -36,7 +37,8 @@ export function renderBlock(
const textClasses = classNames(Classes.RUNNING_TEXT, textClassName);
const contents = block.contents.map((node, i) => {
if (typeof node === "string") {
- return ;
+ const sanitizedNode = DOMPurify.sanitize(node);
+ return ;
}
try {
const renderer = tagRenderers[node.tag];
diff --git a/yarn.lock b/yarn.lock
index da650762a3..7ef1c026d6 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -647,6 +647,7 @@ __metadata:
"@documentalist/client": "npm:^5.0.0"
"@types/fuzzaldrin-plus": "npm:~0.6.5"
classnames: "npm:^2.3.1"
+ dompurify: "npm:^3.0.8"
fuzzaldrin-plus: "npm:^0.6.0"
npm-run-all: "npm:^4.1.5"
react: "npm:^16.14.0"
@@ -6436,6 +6437,13 @@ __metadata:
languageName: node
linkType: hard
+"dompurify@npm:^3.0.8":
+ version: 3.0.8
+ resolution: "dompurify@npm:3.0.8"
+ checksum: e89e03d3dbd99abd64cd90705ce2cdfbc60ee9726ee53f9860e8a2d91b828ef2c173e7031529f9a3aa169ad0fbb76115c6a6683b545bf1ac5d94cc6176fb2a50
+ languageName: node
+ linkType: hard
+
"domutils@npm:^1.7.0":
version: 1.7.0
resolution: "domutils@npm:1.7.0"