From ade693b7861b0b3394fe159d8af018e865220f0e Mon Sep 17 00:00:00 2001
From: reeshika-h <reeshika.hosmani@contentstack.com>
Date: Wed, 3 Jul 2024 14:42:58 +0530
Subject: [PATCH 1/2] fix: sre vulnerability issue fixed

---
 src/helper/sanitize.ts              | 18 ++++++++++++++++
 src/options/default-node-options.ts | 12 +++++++----
 src/options/default-options.ts      | 33 +++++++++++++++++++++++------
 3 files changed, 52 insertions(+), 11 deletions(-)
 create mode 100644 src/helper/sanitize.ts

diff --git a/src/helper/sanitize.ts b/src/helper/sanitize.ts
new file mode 100644
index 0000000..0f2fe70
--- /dev/null
+++ b/src/helper/sanitize.ts
@@ -0,0 +1,18 @@
+
+type AllowedTags = 'p' | 'a' | 'strong' | 'em' | 'ul' | 'ol' | 'li';
+type AllowedAttributes = 'href' | 'title' | 'target' | 'alt' | 'src';
+
+export function sanitizeHTML(input: string, allowedTags: AllowedTags[] = ['p', 'a', 'strong', 'em', 'ul', 'ol', 'li'], allowedAttributes: AllowedAttributes[] = ['href', 'title', 'target']): string {
+    // Regular expression to find and remove all HTML tags except the allowed ones
+    const sanitized = input.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>?/gi, (match, tag) => {
+        return allowedTags.includes(tag.toLowerCase()) ? match : '';
+    });
+
+    // Regular expression to remove all attributes except the allowed ones
+    const cleaned = sanitized.replace(/\s([a-z:]+)=['"][^'"]*['"]/gi, (match, attribute) => {
+        return allowedAttributes.includes(attribute.toLowerCase()) ? match : '';
+    });
+
+    return cleaned;
+}
+
diff --git a/src/options/default-node-options.ts b/src/options/default-node-options.ts
index 49d4def..07b0f80 100644
--- a/src/options/default-node-options.ts
+++ b/src/options/default-node-options.ts
@@ -2,6 +2,7 @@ import { Next, RenderOption } from ".";
 import MarkType from "../nodes/mark-type";
 import Node from "../nodes/node";
 import NodeType from "../nodes/node-type";
+import { sanitizeHTML } from "../helper/sanitize";
 
 export const defaultNodeOption: RenderOption = {
     [NodeType.DOCUMENT]:(node: Node) => {
@@ -11,16 +12,19 @@ export const defaultNodeOption: RenderOption = {
         return `<p${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</p>`
     },
     [NodeType.LINK]:(node: Node, next: Next) => {
+        const sanitizedHref = sanitizeHTML(node.attrs.href || node.attrs.url);
         if (node.attrs.target) {
-            return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${node.attrs.href || node.attrs.url}" target="${node.attrs.target}">${next(node.children)}</a>`
+            return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}" target="${node.attrs.target}">${next(node.children)}</a>`
         }
-        return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${node.attrs.href || node.attrs.url}">${next(node.children)}</a>`
+        return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}">${next(node.children)}</a>`
     },
     [NodeType.IMAGE]:(node: Node, next: Next) => {
-        return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${node.attrs.src || node.attrs.url}" />${next(node.children)}`
+        const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url);
+        return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}" />${next(node.children)}`
     },
     [NodeType.EMBED]:(node: Node, next: Next) => {
-        return `<iframe${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${node.attrs.src || node.attrs.url}">${next(node.children)}</iframe>`
+        const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url);
+        return `<iframe${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}">${next(node.children)}</iframe>`
     },
     [NodeType.HEADING_1]:(node: Node, next: Next) => {
         return `<h1${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h1>`
diff --git a/src/options/default-options.ts b/src/options/default-options.ts
index 0c6e221..aac5309 100644
--- a/src/options/default-options.ts
+++ b/src/options/default-options.ts
@@ -3,13 +3,32 @@ import { RenderOption } from '.';
 import { Metadata } from '../Models/metadata-model';
 import { EmbeddedItem } from '../Models/embedded-object';
 import { EntryNode } from '../Models/json-rte-model';
+import { sanitizeHTML } from '../helper/sanitize'
 
 export const defaultOptions: RenderOption = {
-  [StyleType.BLOCK]: (item: EmbeddedItem | EntryNode) =>
-    `<div><p>${item.title || item.uid}</p><p>Content type: <span>${item._content_type_uid || (item.system ? item.system.content_type_uid : '')}</span></p></div>`,
-  [StyleType.INLINE]: (item: EmbeddedItem | EntryNode) => `<span>${item.title || item.uid}</span>`,
-  [StyleType.LINK]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => `<a href="${item.url}">${metadata.text || item.title || item.uid || (item.system ? item.system.uid : '')}</a>`,
-  [StyleType.DISPLAY]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => `<img src="${item.url}" alt="${metadata.attributes.alt || item.title || item.filename || item.uid
-    || (item.system ? item.system.uid : '')}" />`,
-  [StyleType.DOWNLOAD]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => `<a href="${item.url}">${metadata.text || item.title || item.uid || (item.system ? item.system.content_type_uid : '')}</a>`,
+  [StyleType.BLOCK]: (item: EmbeddedItem | EntryNode) => {
+    const title = sanitizeHTML(item.title || item.uid);
+    const content_type_uid = sanitizeHTML(item._content_type_uid || (item.system ? item.system.content_type_uid : ''));
+    return `<div><p>${title}</p><p>Content type: <span>${content_type_uid}</span></p></div>`;
+  },
+  [StyleType.INLINE]: (item: EmbeddedItem | EntryNode) => {
+    const title = sanitizeHTML(item.title || item.uid);
+    return `<span>${title}</span>`;
+  },
+  [StyleType.LINK]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => {
+    const url = sanitizeHTML(item.url || 'undefined');
+    const text = sanitizeHTML(metadata.text || item.title || item.uid || (item.system ? item.system.uid : ''));
+    return `<a href="${url}">${text}</a>`;
+  },
+  [StyleType.DISPLAY]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => {
+    const url = sanitizeHTML(item.url || 'undefined');
+    const alt = sanitizeHTML(metadata.attributes.alt || item.title || item.filename || item.uid
+      || (item.system ? item.system.uid : ''));
+    return `<img src="${url}" alt="${alt}" />`;
+  },
+  [StyleType.DOWNLOAD]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => {
+    const href = sanitizeHTML(item.url || 'undefined');
+    const text = sanitizeHTML(metadata.text || item.title || item.uid || (item.system ? item.system.content_type_uid : ''));
+    return `<a href="${href}">${text}</a>`;
+  },
 };

From 423c8d49e55cc00405c395d07c06216fff15d35a Mon Sep 17 00:00:00 2001
From: reeshika-h <reeshika.hosmani@contentstack.com>
Date: Mon, 8 Jul 2024 14:35:13 +0530
Subject: [PATCH 2/2] chore: final changes done

---
 src/helper/sanitize.ts              | 11 ++---
 src/options/default-node-options.ts | 70 ++++++++++++++---------------
 2 files changed, 41 insertions(+), 40 deletions(-)

diff --git a/src/helper/sanitize.ts b/src/helper/sanitize.ts
index 0f2fe70..c413ff2 100644
--- a/src/helper/sanitize.ts
+++ b/src/helper/sanitize.ts
@@ -1,15 +1,16 @@
 
-type AllowedTags = 'p' | 'a' | 'strong' | 'em' | 'ul' | 'ol' | 'li';
-type AllowedAttributes = 'href' | 'title' | 'target' | 'alt' | 'src';
+type AllowedTags = 'p' | 'a' | 'strong' | 'em' | 'ul' | 'ol' | 'li' | 'h1' | 'h2' | 'h3' | 'h4' | 'h5' | 'h6' | 'sub' | 'u' | 'table' | 'thead' | 'tbody' | 'tr' | 'th' | 'td' | 'span'|'fragment'|'strike'|'sup'|'br';
+type AllowedAttributes = 'href' | 'title' | 'target' | 'alt' | 'src' | 'class' | 'id' | 'style';
 
-export function sanitizeHTML(input: string, allowedTags: AllowedTags[] = ['p', 'a', 'strong', 'em', 'ul', 'ol', 'li'], allowedAttributes: AllowedAttributes[] = ['href', 'title', 'target']): string {
+export function sanitizeHTML(input: string, allowedTags: AllowedTags[] = ['p', 'a', 'strong', 'em', 'ul', 'ol', 'li', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'sub', 'u', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'span','fragment','sup','strike','br'], allowedAttributes: AllowedAttributes[] = ['href', 'title', 'target', 'alt', 'src', 'class', 'id', 'style']): string {
     // Regular expression to find and remove all HTML tags except the allowed ones
-    const sanitized = input.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>?/gi, (match, tag) => {
+    const sanitized = input.replace(/<\/?([a-z][a-z0-9]*)\b[^<>]*>/gi, (match, tag) => {
         return allowedTags.includes(tag.toLowerCase()) ? match : '';
     });
 
     // Regular expression to remove all attributes except the allowed ones
-    const cleaned = sanitized.replace(/\s([a-z:]+)=['"][^'"]*['"]/gi, (match, attribute) => {
+    const cleaned = sanitized.replace(/\s([a-z:]+)=['"][^'"]*['"]/gi
+    , (match, attribute) => {
         return allowedAttributes.includes(attribute.toLowerCase()) ? match : '';
     });
 
diff --git a/src/options/default-node-options.ts b/src/options/default-node-options.ts
index 07b0f80..6e10756 100644
--- a/src/options/default-node-options.ts
+++ b/src/options/default-node-options.ts
@@ -9,70 +9,70 @@ export const defaultNodeOption: RenderOption = {
         return ``
     },
     [NodeType.PARAGRAPH]:(node: Node, next: Next) => {
-        return `<p${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</p>`
+        return `<p${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</p>`
     },
     [NodeType.LINK]:(node: Node, next: Next) => {
         const sanitizedHref = sanitizeHTML(node.attrs.href || node.attrs.url);
         if (node.attrs.target) {
-            return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}" target="${node.attrs.target}">${next(node.children)}</a>`
+            return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}" target="${node.attrs.target}">${sanitizeHTML(next(node.children))}</a>`
         }
-        return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}">${next(node.children)}</a>`
+        return `<a${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} href="${sanitizedHref}">${sanitizeHTML(next(node.children))}</a>`
     },
     [NodeType.IMAGE]:(node: Node, next: Next) => {
         const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url);
-        return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}" />${next(node.children)}`
+        return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}" />${sanitizeHTML(next(node.children))}`
     },
     [NodeType.EMBED]:(node: Node, next: Next) => {
         const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url);
-        return `<iframe${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}">${next(node.children)}</iframe>`
+        return `<iframe${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizedSrc}">${sanitizeHTML(next(node.children))}</iframe>`
     },
     [NodeType.HEADING_1]:(node: Node, next: Next) => {
-        return `<h1${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h1>`
+        return `<h1${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h1>`
     },
     [NodeType.HEADING_2]:(node: Node, next: Next) => {
-        return `<h2${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h2>`
+        return `<h2${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h2>`
     },
     [NodeType.HEADING_3]:(node: Node, next: Next) => {
-        return `<h3${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h3>`
+        return `<h3${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h3>`
     },
     [NodeType.HEADING_4]:(node: Node, next: Next) => {
-        return `<h4${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h4>`
+        return `<h4${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h4>`
     },
     [NodeType.HEADING_5]:(node: Node, next: Next) => {
-        return `<h5${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h5>`
+        return `<h5${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h5>`
     },
     [NodeType.HEADING_6]:(node: Node, next: Next) => {
-        return `<h6${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</h6>`
+        return `<h6${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</h6>`
     },
     [NodeType.ORDER_LIST]:(node: Node, next: Next) => {
-        return `<ol${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</ol>`
+        return `<ol${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</ol>`
     },
     [NodeType.FRAGMENT]:(node: Node, next: Next) => {
-        return `<fragment>${next(node.children)}</fragment>`
+        return `<fragment>${sanitizeHTML(next(node.children))}</fragment>`
     },
     [NodeType.UNORDER_LIST]:(node: Node, next: Next) => {
-        return `<ul${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</ul>`
+        return `<ul${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</ul>`
     },
     [NodeType.LIST_ITEM]:(node: Node, next: Next) => {
-        return `<li${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</li>`
+        return `<li${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</li>`
     },
     [NodeType.HR]:(node: Node, next: Next) => {
         return `<hr>`
     },
     [NodeType.TABLE]:(node: Node, next: Next) => {
-        return `<table${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</table>`
+        return `<table${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</table>`
     },
     [NodeType.TABLE_HEADER]:(node: Node, next: Next) => {
-        return `<thead${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</thead>`
+        return `<thead${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</thead>`
     },
     [NodeType.TABLE_BODY]:(node: Node, next: Next) => {
-        return `<tbody${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</tbody>`
+        return `<tbody${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</tbody>`
     },
     [NodeType.TABLE_FOOTER]:(node: Node, next: Next) => {
-        return `<tfoot${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</tfoot>`
+        return `<tfoot${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</tfoot>`
     },
     [NodeType.TABLE_ROW]:(node: Node, next: Next) => {
-        return `<tr${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</tr>`
+        return `<tr${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</tr>`
     },
     [NodeType.TABLE_HEAD]:(node: Node, next: Next) => {
         if (node.attrs.void) return '';
@@ -82,7 +82,7 @@ export const defaultNodeOption: RenderOption = {
                 `${node.attrs.colSpan ? ` colspan="${node.attrs.colSpan}"` : ``}` +
                 `${node.attrs.style ? ` style="${node.attrs.style}"` : ``}`+
                 `${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}`+
-                `${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}` +
+                `${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}` +
                 `</th>`
     },
     [NodeType.TABLE_DATA]:(node: Node, next: Next) => {
@@ -93,52 +93,52 @@ export const defaultNodeOption: RenderOption = {
                 `${node.attrs.colSpan ? ` colspan="${node.attrs.colSpan}"` : ``}` +
                 `${node.attrs.style ? ` style="${node.attrs.style}"` : ``}`+
                 `${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}`+
-                `${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}` +
+                `${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}` +
                 `</td>`
     },
     [NodeType.BLOCK_QUOTE]:(node: Node, next: Next) => {
-        return `<blockquote${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</blockquote>`
+        return `<blockquote${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</blockquote>`
     },
     [NodeType.CODE]:(node: Node, next: Next) => {
-        return `<code${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${next(node.children)}</code>`
+        return `<code${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``}>${sanitizeHTML(next(node.children))}</code>`
     },
 
     ['reference']:(node: Node, next: Next) => {
         if (node.attrs.type === 'asset') {
-            return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${node.attrs['class-name']}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${node.attrs['asset-link']}" />`
+            return `<img${node.attrs.style ? ` style="${node.attrs.style}"` : ``}${node.attrs['class-name'] ? ` class="${sanitizeHTML(node.attrs['class-name'])}"` : ``}${node.attrs.id ? ` id="${node.attrs.id}"` : ``} src="${sanitizeHTML(node.attrs['asset-link'])}" />`
         }
         return ``
     },
     ['default']:(node: Node, next: Next) => {
-        return next(node.children)
+        return sanitizeHTML(next(node.children))
     },
 
     [MarkType.BOLD]:(text: string) => {
-        return `<strong>${text}</strong>`
+        return `<strong>${sanitizeHTML(text)}</strong>`
     },
     [MarkType.ITALIC]:(text: string) => {
-        return `<em>${text}</em>`
+        return `<em>${sanitizeHTML(text)}</em>`
     },
     [MarkType.UNDERLINE]:(text: string) => {
-        return `<u>${text}</u>`
+        return `<u>${sanitizeHTML(text)}</u>`
     },
     [MarkType.STRIKE_THROUGH]:(text: string) => {
-        return `<strike>${text}</strike>`
+        return `<strike>${sanitizeHTML(text)}</strike>`
     },
     [MarkType.INLINE_CODE]:(text: string) => {
-        return `<span>${text}</span>`
+        return `<span>${sanitizeHTML(text)}</span>`
     },
     [MarkType.SUBSCRIPT]:(text: string) => {
-        return `<sub>${text}</sub>`
+        return `<sub>${sanitizeHTML(text)}</sub>`
     },
     [MarkType.SUPERSCRIPT]:(text: string) => {
-        return `<sup>${text}</sup>`
+        return `<sup>${sanitizeHTML(text)}</sup>`
     },
     [MarkType.BREAK]:(text: string) => {
-        return `<br />${text}`
+        return `<br />${sanitizeHTML(text)}`
     },
     [MarkType.CLASSNAME_OR_ID]:(text: string, classname: string, id:string) => {
-        return `<span${classname ? ` class="${classname}"` : ``}${id ? ` id="${id}"` : ``}>${text}</span>`
+        return `<span${classname ? ` class="${classname}"` : ``}${id ? ` id="${id}"` : ``}>${sanitizeHTML(text)}</span>`
     }
 
 }