[SECURITY] Fix XSS vulnerability in MarkdownRenderer (!7) · Merge requests · acme-corp / frontend-team / core-frontend-team / ui-component-library

🔒 CRITICAL SECURITY FIX

This MR addresses a HIGH severity XSS vulnerability in the MarkdownRenderer component (Issue #9).

Vulnerability Details

Component: MarkdownRenderer
Severity: HIGH
Attack Vector: XSS through unsanitized markdown content
Affected Users: All users of ui-component-library

Exploit Example

<img src=x onerror="alert(document.cookie)">

Solution

✅ Added DOMPurify for HTML sanitization ✅ Configured strict whitelist of allowed HTML tags ✅ Removed all dangerous attributes (onerror, onclick, etc.) ✅ Added comprehensive security tests

Changes

Added dompurify and isomorphic-dompurify packages
Updated MarkdownRenderer to sanitize all HTML before rendering
Added 4 security test cases to prevent regression

Testing

npm test -- MarkdownRenderer.test.tsx

All XSS attack vectors are now blocked.

Closes #9

cc @sabrina @bill

[SECURITY] Fix XSS vulnerability in MarkdownRenderer