diff --git a/client/cody-shared/src/chat/markdown.ts b/client/cody-shared/src/chat/markdown.ts index aeaee8095c0..d59b60bdc89 100644 --- a/client/cody-shared/src/chat/markdown.ts +++ b/client/cody-shared/src/chat/markdown.ts @@ -12,5 +12,8 @@ export function renderMarkdown(markdown: string): string { registerHighlightContributions() // Add Cody-specific Markdown rendering if needed. - return renderMarkdownCommon(markdown, { breaks: true }) + return renderMarkdownCommon(markdown, { + breaks: true, + sanitize: true, + }) } diff --git a/client/cody-ui/src/terms.ts b/client/cody-ui/src/terms.ts index c355202838b..267fa0e60c0 100644 --- a/client/cody-ui/src/terms.ts +++ b/client/cody-ui/src/terms.ts @@ -2,4 +2,4 @@ * A paragraph describing the Cody terms. */ export const CODY_TERMS_MARKDOWN = - 'By using Cody, you agree to its [license and privacy statement](https://about.sourcegraph.com/terms/cody-notice).' + 'By using Cody, you agree to its [license and privacy statement](https://about.sourcegraph.com/terms/cody-notice).' diff --git a/client/common/src/util/markdown/markdown.ts b/client/common/src/util/markdown/markdown.ts index 15da9459982..ecf8fec59ee 100644 --- a/client/common/src/util/markdown/markdown.ts +++ b/client/common/src/util/markdown/markdown.ts @@ -59,6 +59,11 @@ export const renderMarkdown = ( headerPrefix?: string /** Strip off any HTML and return a plain text string, useful for previews */ plainText?: boolean + /** + * Wether to sanitize the output HTML or not. + * 🚨 SECURITY: defaults to false + **/ + sanitize?: boolean } = {} ): string => { const tokenizer = new marked.Tokenizer() @@ -73,7 +78,7 @@ export const renderMarkdown = ( const rendered = marked(markdown, { gfm: true, breaks: options.breaks, - sanitize: false, + sanitize: typeof options.sanitize === 'undefined' ? false : options.sanitize, highlight: (code, language) => highlightCodeSafe(code, language), renderer: options.renderer, headerPrefix: options.headerPrefix ?? '',