fix(plugins): avoid xss for the injected readme html content

gulpfile.js

@@ -72,6 +72,7 @@ const common = {
         'node_modules/react-dom/umd/react-dom.production.min.js',
         'node_modules/react-dom/umd/react-dom.development.js',
         'node_modules/prop-types/prop-types.min.js',
+        'node_modules/dompurify/dist/purify.js',
       ]).pipe(gulp.dest(path.join(outputPath, 'js'))),
       () => gulp.src([
         'node_modules/@tabler/icons-react/dist/umd/tabler-icons-react.min.js',

resources/marketplace.html

@@ -69,6 +69,7 @@
 <body>
 <div id="app"></div>
 <script src="./js/marked.min.js"></script>
+<script src="./js/purify.js"></script>
 <script>
   ;(async function () {
     const app = document.getElementById('app')
@@ -131,7 +132,7 @@
       }
 
       content = marked.parse(content).replace('src="./', `src="${fixLink('')}`)
-      setContent(content)
+      setContent(DOMPurify.sanitize(content))
     }
 
     // load default

src/main/frontend/components/plugins.cljs

@@ -202,7 +202,7 @@
 
 (rum/defc remote-readme-display
   [{:keys [repo]} _content]
-  (let [src (str (if (string/includes? js/location.href "logseq")
+  (let [src (str (if (string/includes? js/location.host "logseq")
                    "./static/" "./") "marketplace.html?repo=" repo)]
     [:iframe.lsp-frame-readme {:src src}]))