@gitlab/duo-ui 10.6.0 → 10.6.1

package/CHANGELOG.md

@@ -1,3 +1,11 @@
+## [10.6.1](https://gitlab.com/gitlab-org/duo-ui/compare/v10.6.0...v10.6.1) (2025-07-14)
+
+
+### Bug Fixes
+
+* enhance markdown renderer security ([b73cc42](https://gitlab.com/gitlab-org/duo-ui/commit/b73cc42ecbec353cbe3646ceb0dacfd506b08975))
+* enhance markdown renderer security ([c422395](https://gitlab.com/gitlab-org/duo-ui/commit/c422395af70992d91d1bc0350d87d1bbba9cfa9b))
+
 # [10.6.0](https://gitlab.com/gitlab-org/duo-ui/compare/v10.5.0...v10.6.0) (2025-07-09)
 
 

package/dist/components/chat/markdown_renderer.js

@@ -11,7 +11,7 @@ const duoMarked = new Marked([{
 const config = {
   ADD_TAGS: ['insert-code-snippet', 'copy-code', 'gl-markdown', '#text', 'gl-compact-markdown'],
   ADD_ATTR: ['data-canonical-lang', 'data-sourcepos', 'lang', 'data-src', 'img'],
-  FORBID_TAGS: ['script', 'style', 'iframe', 'form', 'button'],
+  FORBID_TAGS: ['script', 'style', 'iframe', 'form', 'button', 'svg', 'video', 'audio', 'embed', 'object'],
   FORBID_ATTR: ['onerror', 'onload', 'onclick']
 };
 const handleImageElements = node => {
@@ -29,8 +29,8 @@ const handleImageElements = node => {
  * @returns {boolean} - True if the URL is a safe relative URL
  */
 function isRelativeUrlWithoutEmbeddedUrls(url) {
-  // Check if the string starts with a slash
-  if (!url.startsWith('/')) {
+  // Check if the string starts with a slash but not with double slash (protocol-relative URLs)
+  if (!url.startsWith('/') || url.startsWith('//')) {
     return false;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gitlab/duo-ui",
-  "version": "10.6.0",
+  "version": "10.6.1",
   "description": "Duo UI Components",
   "license": "MIT",
   "main": "dist/index.js",
@@ -97,10 +97,10 @@
     "@babel/plugin-proposal-optional-chaining": "^7.21.0",
     "@babel/preset-env": "^7.28.0",
     "@babel/preset-react": "^7.27.1",
-    "@gitlab/eslint-plugin": "21.1.0",
+    "@gitlab/eslint-plugin": "21.2.0",
     "@gitlab/fonts": "^1.3.0",
     "@gitlab/stylelint-config": "6.2.2",
-    "@gitlab/svgs": "^3.137.0",
+    "@gitlab/svgs": "^3.139.0",
     "@gitlab/ui": "latest",
     "@jest/test-sequencer": "^29.7.0",
     "@rollup/plugin-commonjs": "^11.1.0",
@@ -155,8 +155,8 @@
     "module-alias": "^2.2.2",
     "npm-run-all": "^4.1.5",
     "pikaday": "^1.8.0",
-    "playwright": "^1.53.2",
-    "playwright-core": "^1.53.2",
+    "playwright": "^1.54.0",
+    "playwright-core": "^1.54.0",
     "plop": "^2.5.4",
     "postcss": "8.4.28",
     "postcss-loader": "^7.0.2",

package/src/components/chat/markdown_renderer.js

@@ -15,7 +15,18 @@ const duoMarked = new Marked([
 const config = {
   ADD_TAGS: ['insert-code-snippet', 'copy-code', 'gl-markdown', '#text', 'gl-compact-markdown'],
   ADD_ATTR: ['data-canonical-lang', 'data-sourcepos', 'lang', 'data-src', 'img'],
-  FORBID_TAGS: ['script', 'style', 'iframe', 'form', 'button'],
+  FORBID_TAGS: [
+    'script',
+    'style',
+    'iframe',
+    'form',
+    'button',
+    'svg',
+    'video',
+    'audio',
+    'embed',
+    'object',
+  ],
   FORBID_ATTR: ['onerror', 'onload', 'onclick'],
 };
 
@@ -34,8 +45,8 @@ const handleImageElements = (node) => {
  * @returns {boolean} - True if the URL is a safe relative URL
  */
 function isRelativeUrlWithoutEmbeddedUrls(url) {
-  // Check if the string starts with a slash
-  if (!url.startsWith('/')) {
+  // Check if the string starts with a slash but not with double slash (protocol-relative URLs)
+  if (!url.startsWith('/') || url.startsWith('//')) {
     return false;
   }