From c1365f2b82b3bd6d71b5da7e8aac06faf7c99d44 Mon Sep 17 00:00:00 2001
From: moonrailgun <moonrailgun@gmail.com>
Date: Sat, 23 Nov 2024 21:44:33 +0800
Subject: [PATCH] fix: fix xss problem when render iframe

---
 client/web/src/components/Markdown/render.tsx | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/client/web/src/components/Markdown/render.tsx b/client/web/src/components/Markdown/render.tsx
index 151f453bac6..81d41f3155d 100644
--- a/client/web/src/components/Markdown/render.tsx
+++ b/client/web/src/components/Markdown/render.tsx
@@ -46,6 +46,11 @@ export const Markdown: React.FC<{
       ),
       iframe: (props) => {
         let src = props.src;
+
+        if (src?.includes('javascript')) {
+          return <div>not support run javascript</div>;
+        }
+
         if (src && src.includes('?')) {
           src += '&autoplay=0'; // make sure media autoplay is false
         }