Skip to content

Commit

Permalink
Fix xss vulnerability in the seo component
Browse files Browse the repository at this point in the history
  • Loading branch information
blittle committed Mar 12, 2024
1 parent 5060cf5 commit 4d6a530
Show file tree
Hide file tree
Showing 5 changed files with 232 additions and 11 deletions.
5 changes: 5 additions & 0 deletions .changeset/popular-moose-beam.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@shopify/hydrogen': patch
---

Fix XSS vulnerability in the SEO component
197 changes: 189 additions & 8 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions packages/hydrogen/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,8 @@
"dependencies": {
"@shopify/hydrogen-react": "2024.1.1",
"content-security-policy-builder": "^2.1.1",
"type-fest": "^4.5.0"
"type-fest": "^4.5.0",
"sanitize-html": "^2.3.0"
},
"peerDependencies": {
"@remix-run/react": "^2.1.0",
Expand All @@ -77,6 +78,7 @@
"happy-dom": "^8.9.0",
"react": "^18.2.0",
"schema-dts": "^1.1.0",
"vitest": "^1.0.4"
"vitest": "^1.0.4",
"@types/sanitize-html": "2.11.0"
}
}
6 changes: 5 additions & 1 deletion packages/hydrogen/src/seo/generate-seo-tags.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ import type {ComponentPropsWithoutRef} from 'react';
import type {Maybe} from '@shopify/hydrogen-react/storefront-api-types';
import type {Thing, WithContext} from 'schema-dts';

import sanitizeHtml from 'sanitize-html';

const ERROR_PREFIX = 'Error in SEO input: ';

// TODO: Refactor this into more reusable validators or use a library like zod to do this if we decide to use it in
Expand Down Expand Up @@ -503,7 +505,9 @@ export function generateSeoTags<
'script',
{
type: 'application/ld+json',
children: JSON.stringify(block),
children: JSON.stringify(block, (k, value) => {
return typeof value === 'string' ? sanitizeHtml(value) : value;
}),
},
// @ts-expect-error
`json-ld-${block?.['@type'] || block?.name || index++}`,
Expand Down
Loading

0 comments on commit 4d6a530

Please sign in to comment.