Skip to content

fix(security): sanitize DOCX HTML output with DOMPurify to prevent XSS#514

Merged
Dallas98 merged 1 commit into
mainfrom
security/xss
Jun 17, 2026
Merged

fix(security): sanitize DOCX HTML output with DOMPurify to prevent XSS#514
Dallas98 merged 1 commit into
mainfrom
security/xss

Conversation

@MoeexT

@MoeexT MoeexT commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Malicious DOCX files with embedded script/event-handler tags rendered via mammoth.convertToHtml() + dangerouslySetInnerHTML without sanitization could execute arbitrary JavaScript in the user's browser.

Fix: Install DOMPurify and sanitize mammoth's HTML output before rendering, allowing only safe tags and attributes used by Word documents.

FCE: Cross-site scripting (XSS) via uploaded DOCX files

clsoe: #512

@MoeexT
fix(security): sanitize DOCX HTML output with DOMPurify to prevent XSS
994a4f6 
Malicious DOCX files with embedded script/event-handler tags rendered
via mammoth.convertToHtml() + dangerouslySetInnerHTML without sanitization
could execute arbitrary JavaScript in the user's browser.

Fix: Install DOMPurify and sanitize mammoth's HTML output before
rendering, allowing only safe tags and attributes used by Word documents.

FCE: Cross-site scripting (XSS) via uploaded DOCX files
@Dallas98 Dallas98 merged commit 9fee861 into main Jun 17, 2026
8 checks passed
@MoeexT MoeexT mentioned this pull request Jun 17, 2026
Closed
@MoeexT MoeexT deleted the security/xss branch June 18, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MoeexT @Dallas98