presentation
Warn
Audited by Socket on Jul 7, 2026
1 alert found:
SecuritySecuritybase/src/content/markdown.tsx
MEDIUMSecurityMEDIUM
base/src/content/markdown.tsx
The fragment is not malware-like, but it is security-critical for XSS if `source` is attacker-controlled: it renders Markdown `html` tokens directly using `dangerouslySetInnerHTML` with no sanitization. Additionally, link `href` values are only partially validated (external HTTP(S) detection and rewriting), and internal anchor scrolling decodes attacker-controlled fragments. If the application guarantees `source` is fully trusted or sanitized before reaching this component, risk is reduced; otherwise, this component should be treated as an XSS sink.
Confidence: 78%Severity: 85%
Audit Metadata