Potential fix for code scanning alert no. 96: Bad HTML filtering regexp

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: kemuru

web/package.json

@@ -131,6 +131,8 @@
     "styled-components": "^5.3.3",
     "subgraph-status": "^1.2.4",
     "viem": "^2.24.1",
-    "wagmi": "^2.14.15"
+    "wagmi": "^2.14.15",
+    "dompurify": "^3.2.6",
+    "@types/dompurify": "^3.2.0"
   }
 }

web/src/utils/markdownSanitization.ts

@@ -1,4 +1,5 @@
 import { sanitizeUrl } from "./urlValidation";
+import DOMPurify from "dompurify";
 
 const sanitizeRepeated = (text: string, pattern: RegExp, replacement: string): string => {
   let result = text;
@@ -27,29 +28,25 @@ export const sanitizeMarkdown = (markdown: string): string => {
     return `[${text}](${sanitizedUrl})`;
   });
 
-  sanitized = sanitizeRepeated(sanitized, /<script[^>]*>.*?<\/script>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<iframe[^>]*>.*?<\/iframe>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<object[^>]*>.*?<\/object>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<embed[^>]*\/?>/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /<form[^>]*>.*?<\/form>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<input[^>]*\/?>/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /<button[^>]*>.*?<\/button>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<applet[^>]*>.*?<\/applet>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<audio[^>]*>.*?<\/audio>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<video[^>]*>.*?<\/video>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<svg[^>]*>.*?<\/svg>/gis, "");
-  sanitized = sanitizeRepeated(sanitized, /<canvas[^>]*>.*?<\/canvas>/gis, "");
-
-  sanitized = sanitizeRepeated(sanitized, /javascript:/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /vbscript:/gi, "");
-
-  sanitized = sanitizeRepeated(sanitized, /on\w+\s*=/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /style\s*=/gi, "");
-
-  sanitized = sanitizeRepeated(sanitized, /<meta[^>]*\/?>/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /<link[^>]*\/?>/gi, "");
-  sanitized = sanitizeRepeated(sanitized, /<base[^>]*\/?>/gi, "");
+  // Use DOMPurify to sanitize dangerous HTML tags and attributes
+  sanitized = DOMPurify.sanitize(sanitized, {
+    ALLOWED_TAGS: [
+      // Allow only safe tags that are valid in Markdown output;
+      // Configure to disallow script, iframe, object, embed, form, input, button, applet, audio, video, svg, canvas, meta, link, base
+      "b", "i", "em", "strong", "a", "p", "ul", "ol", "li", "blockquote", "code", "pre", "span", "br", "hr", "img"
+    ],
+    ALLOWED_ATTR: ["href", "src", "alt", "title"], // No style, no event handlers
+    FORBID_TAGS: [
+      "script", "iframe", "object", "embed", "form", "input", "button", "applet", "audio", "video", "svg", "canvas", "meta", "link", "base"
+    ],
+    FORBID_ATTR: [
+      "onerror", "onload", "onclick", "style"
+    ]
+  });
 
+  // Optional: Remove encoded protocols/entities as before
+  sanitized = sanitized.replace(/javascript:/gi, "");
+  sanitized = sanitized.replace(/vbscript:/gi, "");
   sanitized = sanitized.replace(/&#x[0-9a-f]+;/gi, "");
   sanitized = sanitized.replace(/&#[0-9]+;/gi, "");