feat(voyage): vendor DOMPurify >=3.1.1 + sanitize annotation-content

2026-05-10 18:01:30 +02:00 · 2026-05-10 18:01:30 +02:00 · fc8c9eecdd
commit fc8c9eecdd
parent e839ba2a7a
5 changed files with 105 additions and 6 deletions
--- a/plugins/voyage/scripts/vendor-playground-libs.mjs
+++ b/plugins/voyage/scripts/vendor-playground-libs.mjs
@ -9,9 +9,10 @@
 //   - markdown-it@14.1.0           (UMD bundle copied verbatim)
 //   - markdown-it-front-matter@0.2.4 (CommonJS module wrapped in IIFE)
 //   - highlight.js@11.11.1         (5-lang bundle assembled from CommonJS sources)
+//   - dompurify@3.2.6              (UMD bundle copied verbatim) — v4.3 Step 24
 //
 // Output: playground/lib/{markdown-it.min.js, markdown-it-front-matter.min.js,
-//                        highlight.min.js}
+//                        highlight.min.js, dompurify.min.js}
 //
 // All three output files are zero-network browser-loadable scripts that
 // expose globals (`window.markdownit`, `window.markdownitFrontMatter`,
@ -32,6 +33,9 @@ const PINS = {
  'markdown-it': '14.1.0',
  'markdown-it-front-matter': '0.2.4',
  'highlight.js': '11.11.1',
+  // v4.3 Step 24 — pinned ≥ 3.1.1 (PortSwigger HTML-comment mutation-XSS bypass
+  // was fixed in 3.1.x; 3.2.6 is the current stable line as of 2026-05-10).
+  'dompurify': '3.2.6',
 };

 const HL_LANGS = ['yaml', 'json', 'javascript', 'bash', 'markdown', 'diff'];
@ -77,7 +81,20 @@ function vendor() {
    writeFileSync(join(OUT, 'highlight.min.js'), hlBundle);
    log(`wrote ${join(OUT, 'highlight.min.js')} (${HL_LANGS.length} langs)`);

-    // 4. MANIFEST — record the vendored versions for audit
+    // 4. dompurify — copy UMD min bundle directly (v4.3 Step 24).
+    // Mirrors markdown-it-vendoring: npm pack → tar xzf → copy
+    // dist/purify.min.js → playground/lib/dompurify.min.js. The UMD bundle
+    // exposes `window.DOMPurify` for browser-loadable use.
+    log('packing dompurify@' + PINS['dompurify']);
+    execSync(`npm pack dompurify@${PINS['dompurify']} --silent`, { cwd: tmp });
+    execSync(`tar xzf dompurify-${PINS['dompurify']}.tgz`, { cwd: tmp });
+    copyFileSync(
+      join(tmp, 'package', 'dist', 'purify.min.js'),
+      join(OUT, 'dompurify.min.js'),
+    );
+    log(`wrote ${join(OUT, 'dompurify.min.js')}`);
+
+    // 5. MANIFEST — record the vendored versions for audit
    const manifest = {
      generated_at: new Date().toISOString(),
      pins: PINS,
@ -86,6 +103,7 @@ function vendor() {
        'markdown-it.min.js',
        'markdown-it-front-matter.min.js',
        'highlight.min.js',
+        'dompurify.min.js',
      ],
    };
    writeFileSync(