feat: Enhance share page security with markdown sanitization and error handling

aider/website/share/index.md

@@ -4,7 +4,7 @@ nav_exclude: true
 
 <meta http-equiv="Content-Security-Policy" 
     content="default-src 'self'; 
-             script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; 
+             script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; 
              connect-src http: https:;
              style-src 'self' 'unsafe-inline';">
 
@@ -43,6 +43,7 @@ print("goodbye")
 </div>
 
 <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.6/purify.min.js"></script>
 <script>
 function isValidUrl(url) {
     try {
@@ -53,11 +54,18 @@ function isValidUrl(url) {
     }
 }
 
+// Configure marked with secure defaults
+marked.setOptions({
+    headerIds: false,
+    mangle: false
+});
+
 window.onload = function() {
     var urlParams = new URLSearchParams(window.location.search);
     var conv = urlParams.get('mdurl');
     if (!conv || !isValidUrl(conv)) {
-        console.error('Invalid or missing URL');
+        document.querySelector('#shared-transcript').innerHTML = 
+            '<div style="color: red; padding: 1em;">Error: Invalid or missing URL provided</div>';
         return;
     }
     document.getElementById('mdurl').href = conv;
@@ -79,11 +87,14 @@ window.onload = function() {
             return line;
         }).join('\n');
         var html = marked.parse(markdown);
+        var sanitizedHtml = DOMPurify.sanitize(html);
         var divElement = document.querySelector('#shared-transcript');
-        divElement.innerHTML = html;
+        divElement.innerHTML = sanitizedHtml;
     })
     .catch(error => {
         console.error('Error fetching markdown:', error);
+        document.querySelector('#shared-transcript').innerHTML = 
+            '<div style="color: red; padding: 1em;">Error: Failed to load chat transcript</div>';
     });
 }
 </script>