OpenLearningNet · damar-openlearning · Dec 16, 2024 · Dec 16, 2024 · Dec 17, 2024 · dcollien
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -26,6 +26,7 @@
     "vite": "^5.1.6"
   },
   "dependencies": {
+    "dompurify": "^3.2.3",
     "he": "^1.2.0",
     "jszip": "^3.10.1",
     "vite-plugin-dts": "^4.0.2"

diff --git a/src/imscc/resource/discussion.ts b/src/imscc/resource/discussion.ts
@@ -1,4 +1,5 @@
 import { Page } from "../types";
+import DOMPurify from "dompurify";
 
 const safeTags = (str: string) =>
   str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
@@ -8,7 +9,7 @@ export const discussionDocument = (page: Page, _id: string) => ({
 <topic xmlns="http://www.imsglobal.org/xsd/imsccv1p1/imsdt_v1p1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.imsglobal.org/xsd/imsccv1p1/imsdt_v1p1 http://www.imsglobal.org/profile/cc/ccv1p1/ccv1p1_imsdt_v1p1.xsd">
   <title>${page.title}</title>
   <text texttype="text/html">${safeTags(
-    typeof page.content === "string" ? page.content : ""
+    typeof page.content === "string" ? DOMPurify.sanitize(page.content) : ""
   )}</text>
 </topic>`,
   ext: "xml",

diff --git a/src/imscc/resource/html.ts b/src/imscc/resource/html.ts
@@ -1,5 +1,6 @@
 import { FILEBASE_PLACEHOLDER } from "../constants";
 import { Config, Page } from "../types";
+import DOMPurify from "dompurify";
 
 export const cssFromConfig = (config?: Config) => {
   if (!config) {
@@ -29,7 +30,11 @@ const templateHtml = (page: Page, id: string, options?: Config) => {
 <meta name="editing_roles" content="teachers"/>${styleTag}
 </head>
 <body>
-${page.content}
+${
+  typeof page.content === "string"
+    ? DOMPurify.sanitize(page.content)
+    : page.content
 content: string | Section[]; 
 content: string | Section[]; 
+}
 </body>
 </html>`;
 };