fix(view): disable shadow mode by default to prevent XSS (#891)

makhnatkin · web-flow · commit bdfb0394a047 · 2025-12-11T10:28:59.000+01:00
diff --git a/src/view/hocs/withYfmHtml/index.tsx b/src/view/hocs/withYfmHtml/index.tsx
@@ -8,6 +8,8 @@ import type {PluginRuntime, TransformMeta} from '../withMermaid/types';
 
 import {useYfmHtmlBlockRuntime} from './useYfmHtmlBlockRuntime';
 
+export {DEFAULT_HTML_RUNTIME_CONFIG} from './useYfmHtmlBlockRuntime';
+
 export type WithYfmHtmlBlockOptions = {
     runtime: PluginRuntime;
 };
diff --git a/src/view/hocs/withYfmHtml/useYfmHtmlBlockRuntime.ts b/src/view/hocs/withYfmHtml/useYfmHtmlBlockRuntime.ts
@@ -3,11 +3,18 @@ import {setupRuntimeConfig} from '@diplodoc/html-extension/utils';
 
 import type {PluginRuntime, TransformMeta} from './types';
 
+/**
+ * Default runtime config with shadow mode disabled for XSS protection.
+ */
+export const DEFAULT_HTML_RUNTIME_CONFIG: HTMLRuntimeConfig = {
+    disabledModes: ['shadow'],
+};
+
 /** @internal */
 export function useYfmHtmlBlockRuntime(
     meta: TransformMeta,
     runtime: PluginRuntime = '_assets/html-extension.js',
-    htmlRuntimeConfig: HTMLRuntimeConfig = {},
+    htmlRuntimeConfig: HTMLRuntimeConfig = DEFAULT_HTML_RUNTIME_CONFIG,
 ) {
     if (meta?.script?.includes(runtime)) {
         // MAJOR: update html-extension peer on ^2.7.1 and remove optional chain
