import ReactMarkdown from 'react-markdown'; import rehypeSanitize, { defaultSchema } from 'rehype-sanitize'; import { cn } from '@/lib/utils'; interface MarkdownRendererProps { content: string; className?: string; } // Custom sanitization schema with enhanced security const customSchema = { ...defaultSchema, attributes: { ...defaultSchema.attributes, a: [ ...(defaultSchema.attributes?.a || []), ['rel', 'noopener', 'noreferrer'], ['target', '_blank'] ], img: [ ...(defaultSchema.attributes?.img || []), ['loading', 'lazy'], ['referrerpolicy', 'no-referrer'] ] } }; /** * Secure Markdown Renderer with XSS Protection * * Security features: * - Sanitizes all user-generated HTML using rehype-sanitize * - Strips all raw HTML tags (skipHtml=true) * - Enforces noopener noreferrer on all links * - Adds lazy loading to images * - Sets referrer policy to prevent data leakage * * @see docs/SECURITY.md for markdown security policy */ export function MarkdownRenderer({ content, className }: MarkdownRendererProps) { return (

( ), img: ({node, ...props}) => ( ) }} > {content}

); }