Recently, 
(Illustration generated with the assistance of ChatGPT.)
From a security perspective, this behavior is actually conservative but reasonable. As we understand:
Since browsers typically block or flag malicious scripts, I assume that displaying a blank page or throwing an error is a safe way to handle potential XSS.
In other words, when the browser detects potentially malicious scripts and interrupts rendering, it is essentially protecting the user. Therefore, our implementation itself does not introduce any security risks.
However, the problem is that this approach significantly hurts the user experience. From the userβs perspective, a blank screen provides no feedback, no explanation, and no guidance on what to do next, which is clearly not acceptable for a well-designed application.
Based on this, we implemented two key improvements. First, we introduced an ErrorBoundary, allowing the application to gracefully handle rendering errors and provide meaningful feedback instead of showing a blank screen. Second, we added stricter pre-sanitization before content reaches the browser, ensuring all user-generated content is cleaned to reduce the likelihood of triggering browser security mechanisms. These changes allow us to maintain strong security guarantees while significantly improving usability.
After addressing this issue, we didnβt stop there. With the help of AI, we conducted a comprehensive Deep Security Audit across the entire codebase and implemented a full round of security hardening.
(Illustration generated with the assistance of ChatGPT.)
𧩠Key Security Enhancements
1οΈβ£ Iframe Injection & Phishing Protection (π Hardened)
The previous includes-based string checks were vulnerable to bypass. We now use new URL() for strict parsing and validate the hostname precisely, effectively eliminating phishing attempts via crafted URLs.
2οΈβ£ Markdown Attribute Escaping (π Hardened)
During preprocessing, all href and src attributes are HTML-escaped (e.g., " β "), preventing attribute injection and forming a defense-in-depth strategy alongside rehype-sanitize.
3οΈβ£ RPC Node Protocol Security (π Hardened)
RPC endpoints are now restricted to http:// and https://, preventing risks associated with pseudo-protocols such as javascript:.
4οΈβ£ CSS Injection & UI Redressing (β Verified Safe)
We have removed className, style, and id from the allowed attributes, effectively preventing UI overlay and clickjacking-style attacks.
5οΈβ£ Dangerous React APIs (β Verified Safe)
No usage of dangerouslySetInnerHTML or eval() was found. All user content is processed through a secure rendering pipeline:
react-markdown β rehype-raw β rehype-sanitize
(Illustration generated with the assistance of ChatGPT.)
β Summary
Starting from a βblank screen issue,β we not only improved the user experience but also completed a comprehensive security upgrade. The current version establishes a clear and robust security boundary for handling UGC content, ensuring both safety and usability.
π Acknowledgements
Special thanks to
π Release
HIVE Reader v2.7.5 is now live with full security hardening. Try it now: