fix(markdown): XSS Prevention (#1832)

src/runtime/components/ContentRendererMarkdown.vue

@@ -115,6 +115,10 @@ function renderNode (node: MarkdownNode, h: CreateElement, documentMeta: ParsedC
     return h(Text, node.value)
   }
 
+  if (node.tag === 'script') {
+    return renderToText(node)
+  }
+
   const originalTag = node.tag!
   // `_ignoreMap` is an special prop to disables tag-mapper
   const renderTag: string = (typeof node.props?.__ignoreMap === 'undefined' && documentMeta.tags[originalTag]) || originalTag
@@ -137,6 +141,18 @@ function renderNode (node: MarkdownNode, h: CreateElement, documentMeta: ParsedC
   )
 }
 
+function renderToText (node: MarkdownNode) {
+  if (node.type === 'text') {
+    return node.value
+  }
+
+  if (!node.children?.length) {
+    return `<${node.tag}>`
+  }
+
+  return `<${node.tag}>${node.children?.map(renderToText).join('') || ''}</${node.tag}>`
+}
+
 function renderBinding (node: MarkdownNode, h: CreateElement, documentMeta: ParsedContentMeta, parentScope: any = {}): VNode {
   const data = {
     ...parentScope,

test/features/renderer-markdown.ts

@@ -88,5 +88,10 @@ export const testMarkdownRenderer = () => {
       expect(html).not.contains('<meta property="og:image" content="https://picsum.photos/200/300">')
       expect(html).not.contains('<meta name="description" content="Description overwritten"><meta property="og:image" content="https://picsum.photos/200/300">')
     })
+
+    test('XSS Prevention', async () => {
+      const html = await $fetch('/_partial/xss')
+      expect(html).contains('&lt;script&gt;console.log(&#39;xss&#39;)&lt;/script&gt;')
+    })
   })
 }

test/fixtures/basic/content/_partial/xss.md

@@ -0,0 +1 @@
+<script>console.log('xss')</script>