Skip to content

sec: audit dangerouslySetInnerHTML usage in MDX rendering (MEDIUM) #5

Description

@ascender1729

What

Three dangerouslySetInnerHTML usages flagged by semgrep:

  • src/app/(marketing)/blog/[slug]/page.tsx:67, 129
  • src/components/feature-selector.tsx:89

Today only first-party MDX is rendered through these paths → low risk. But pin a sanitiser before opening blog/feature content to community contributors.

Fix

import DOMPurify from 'isomorphic-dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />

Or migrate the MDX rendering to next-mdx-remote with a strict component allowlist (no raw HTML).

Source

Owner-self code audit on 2026-05-04. Section 2.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions