From eacc59f86d566919b91b0d79a8c5fa5a4a70f12f Mon Sep 17 00:00:00 2001
From: Clevis22 <143231290+Clevis22@users.noreply.github.com>
Date: Sun, 3 Mar 2024 21:36:46 +0000
Subject: [PATCH] xss protection

---
 index.html | 1 +
 script.js  | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
index b1adeb5..8bca129 100644
--- a/index.html
+++ b/index.html
@@ -58,5 +58,6 @@
     <script src="script.js"></script>
     <script src="shortcuts.js"></script>
     <script src="dependencies/highlight.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.9/purify.min.js" integrity="sha512-9+ilAOeXY8qy2bw/h51MmliNNHvdyhTpLIlqDmVpD26z8VjVJsUJtk5rhbDIUvYiD+EpGoAu0xTa7MhZohFQjA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   </body>
 </html>
\ No newline at end of file
diff --git a/script.js b/script.js
index 49324ab..046123b 100644
--- a/script.js
+++ b/script.js
@@ -157,7 +157,9 @@ editor.addEventListener('input', () => {
 // get the message from the worker
 previewWorker.addEventListener('message', function(event) {
   var scrollTop = preview.scrollTop;
-  preview.innerHTML = event.data;
+  var cleanHTML = DOMPurify.sanitize(event.data); // Sanitize received HTML
+  preview.innerHTML = cleanHTML;
+  //preview.innerHTML = event.data;
   // Ensure scrolling happens after rendering
   requestAnimationFrame(function() {
     preview.scrollTop = scrollTop;