update #14
Merged
update #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4.70版本 heo主题封面比例、动画更改
…expand gitbook导航文件夹悬停自动展开
…expand gitbook 导航文件夹hover-expand适配移动端
…inline-config Fix/theme starter inline config
…optimise feat: 优化dockerfile,可使包体积从1.1G缩小至200M
…tn-css Fix starter submenu btn css
Release/4.7.11
…y-tag 修复分类和标签首页
…-cnpmjs CNPM有点不靠谱
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if (item.querySelector('figcaption').textContent.trim() === value) { | ||
| item.classList.add('active') | ||
| if (iframe) { | ||
| iframe.setAttribute('src', iframe.getAttribute('data-src')) |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the value from the data-src attribute is properly sanitized before being used as the src attribute of an iframe. One way to do this is to use a library like DOMPurify to sanitize the value. This will ensure that any potentially malicious content is removed before it is used.
- Import the DOMPurify library.
- Use DOMPurify to sanitize the value of the
data-srcattribute before setting it as thesrcattribute of theiframe.
Suggested changeset
2
themes/photo/index.js
| @@ -34,2 +34,3 @@ | ||
| import { Style } from './style' | ||
| import DOMPurify from 'dompurify' | ||
|
|
||
| @@ -244,3 +245,4 @@ | ||
| if (iframe) { | ||
| iframe.setAttribute('src', iframe.getAttribute('data-src')) | ||
| const sanitizedSrc = DOMPurify.sanitize(iframe.getAttribute('data-src')) | ||
| iframe.setAttribute('src', sanitizedSrc) | ||
| } |
package.json
Outside changed files
| @@ -45,3 +45,4 @@ | ||
| "react-share": "^4.4.1", | ||
| "react-tweet-embed": "~2.0.0" | ||
| "react-tweet-embed": "~2.0.0", | ||
| "dompurify": "^3.2.3" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.3 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
已知问题
解决方案
.env.local迁移到package.jsonpackage.json读取版本号改动收益
package.json读取具体改动
blog.config.js测试确认