sanitized text should have target attribute in links #1463
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rismehta
reviewed
Oct 24, 2024
...in/content/jcr_root/apps/core/fd/components/form/text/v1/text/clientlibs/site/js/textview.js
Outdated
Show resolved
Hide resolved
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## dev #1463 +/- ##
============================================
+ Coverage 82.28% 82.32% +0.03%
- Complexity 924 926 +2
============================================
Files 103 103
Lines 2371 2376 +5
Branches 321 323 +2
============================================
+ Hits 1951 1956 +5
Misses 257 257
Partials 163 163 ☔ View full report in Codecov by Sentry. |
rismehta
reviewed
Oct 24, 2024
| @@ -66,7 +66,10 @@ | |||
| updateValue(value) { | |||
| // html sets undefined value as undefined string in input value, hence this check is added | |||
| let actualValue = typeof value === "undefined" ? "" : value; | |||
| const sanitizedValue = window.DOMPurify ? window.DOMPurify.sanitize(actualValue) : actualValue; | |||
| let sanitizedValue = window.DOMPurify ? window.DOMPurify.sanitize(actualValue, { | |||
There was a problem hiding this comment.
There may be several attributes that could be filtered out by DOMPurify. Please validate all scenarios that are exposed. We are also planning to provide the complete HTML view, so DOMPurify needs to be capable of handling all these situations.
There was a problem hiding this comment.
for future reference, this should have been done before addition of DOMPurify in the code.
Also, allowing different attributes exposes new risks for vulnerabilities, making use of DOMPurify irrelevant.
IMO, we should let customer come with a use-case and then provide a fix for it, if there is any.
There was a problem hiding this comment.
for future reference, this should have been done before addition of DOMPurify in the code.
Yes, but since it wasn't addressed prior to the addition and is now considered a bug, please verify all the use cases currently exposed in the RTE.
Also, allowing different attributes exposes new risks for vulnerabilities, making use of DOMPurify irrelevant.
No, it's relevant. Someone could modify the JSON and still launch an XSS attack. Therefore, we should selectively sanitize the content based on our specific use cases through the RTE.
IMO, we should let customer come with a use-case and then provide a fix for it, if there is any.
No, in this case, we have already exposed a set of features, so all of them need to be validated as part of this PR to prevent any further regression. In fact, let's add all of the RTE use-cases as part of the test collateral itself.
There was a problem hiding this comment.
What about doing this, let's write a function specifically for cleaning HTML in text component, since we have exposed a lot of RTE use-cases
// Custom configuration for DOMPurify
const cleanHTML = (dirtyHTML) => {
// Specify the allowed tags and attributes
const allowedTags = [
'b', 'strong',
'i', 'em',
'u',
'small',
'blockquote',
'code',
'ul', 'ol', 'li',
'a',
'img',
'table', 'tr', 'td', 'th',
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'br', 'p'
];
const allowedAttributes = {
// Allow attributes for links
'a': ['href', 'target', 'rel'],
// Allow attributes for images
'img': ['src', 'alt', 'title']
};
// Sanitize the HTML
const sanitizedHTML = DOMPurify.sanitize(dirtyHTML, {
ALLOWED_TAGS: allowedTags,
ALLOWED_ATTR: allowedAttributes
});
return sanitizedHTML;
};
Accessibility Violations Found
|
Accessibility Violations Found
|
1 similar comment
Accessibility Violations Found
|
Lighthouse scores (mobile)
|
Lighthouse scores (desktop)
|
Accessibility Violations Found
|
Accessibility Violations Found
|
Lighthouse scores (mobile)
|
Lighthouse scores (desktop)
|
Accessibility Violations Found
|
2 similar comments
Accessibility Violations Found
|
Accessibility Violations Found
|
|
Please fix the test failures in this PR |
github-actions
bot
force-pushed
the
san
branch
from
da7c005 to
5a68acd
Compare
Accessibility Violations Found
|
Lighthouse scores (mobile)
|
Lighthouse scores (desktop)
|
Accessibility Violations Found
|
2 similar comments
Accessibility Violations Found
|
Accessibility Violations Found
|
Accessibility Violations Found
|
Lighthouse scores (desktop)
|
Lighthouse scores (mobile)
|
Accessibility Violations Found
|
2 similar comments
Accessibility Violations Found
|
Accessibility Violations Found
|
sakshi-arora1
pushed a commit
that referenced
this pull request
Dec 3, 2024
* fixing flaky test (#1450) Co-authored-by: Shivam Agarwal <shivama@adobe.com> * Fixing vulnerability in GH action (#1452) * Translation support for strings in switch (#1456) Co-authored-by: Pavitra Khatri <pavitrakhatri@pavitras-mbp.corp.adobe.com> * Configured custom validation messages in file attachment (#1459) Co-authored-by: Pavitra Khatri <pavitrakhatri@pavitras-mbp.corp.adobe.com> * Fixing gh workflow (#1460) * Fixing gh workflow * Fixing GH actions * Move areOptionsRichText above Options (#1465) * FORMS-17046 Focus on panel with static text not working via custom function (#1464) * Focus on panel with static text not working via custom function * Fixing test * FORMS-15852 xss security fix for svg upload in file attachment (#1462) * FORMS-15852 xss fix for svg upload in file upload * FORMS-15852 xss fix for svg upload in file upload II * FORMS-15852 xss fix for svg upload in file upload main * FORMS-15852 xss fix for svg upload in file upload main II * FORMS-15852 xss fix for svg upload in file upload main II * FORMS-15852 xss fix for svg upload in file upload main II --------- Co-authored-by: Rajat Khurana <rajatkhurana@adobe.com> * FORMS-17068 Fetch custom properties from CoreComponentCustomPropertiesProvider which are behind FT and make part of FormContainer get properties. (#1467) Also updated FOrms SDK version * sanitized text should have target attribute in links (#1463) * sanitized text should have target attribute in links * catering comments * correcting test case * catering comments --------- Co-authored-by: Shivam Agarwal <shivama@adobe.com> * FORMS-17091 initializing label in button view (#1471) Co-authored-by: Shivam Agarwal <shivama@adobe.com> * Fixing GH workflow (#1472) * [FORMS-13474] HTML5 datalist enhancement in dropdown component (#1470) * Adding new custom property for enable suggestions in bundles * Junit test cases to cover Enable Suggestions and Multi Selection in Dropdown * HTL template change + listener on checkbox * Cypress test for enable suggestions * Cypress test for enable suggestions * Remove enableSuggestions from JSON * Remove enableSuggestions from JUnit dropdown test json * Cypress tests for dropdown with autocomplete * Cypress tests for dropdown with autocomplete * Update classname for datalist * More Test cases to cover different values of enableSuggestions * Remove extra code * Simplified the return in enableSuggestions * Remove JsonIgnore annotation * JavaDoc for isEnableSuggestions * Bump up the minor version in package-info * Sort imports in dropdownimpl * custom function registration using action url from backend (#1469) * custom function registration using action url from backend custom function registration using action url from backend custom function registration using action url from backend * custom function registration using action url from backend custom function registration using action url from backend custom function registration using action url from backend * custom function registration using action url from backend * custom function registration using action url from backend * custom function registration using action url from backend * custom function registration using action url from backend - reusing the existing function * custom function registration using action url from backend - marked existing function as deprecated custom function registration using action url from backend - marked existing function as deprecated * Update FormContainer.java * formatting only * Update utils.js --------- Co-authored-by: Rishi Mehta <69448117+rismehta@users.noreply.github.com> * Revert "[FORMS-13474] HTML5 datalist enhancement in dropdown component (#1470)" This reverts commit ac662e9. * Moving CI to latest rotary image (#1475) * using latest rotary image * Fixing version * @releng [maven-scm] :prepare release core-forms-components-reactor-3.0.72 * @releng [maven-scm] :prepare for next development iteration * Update VERSIONS.md and README.md to include version 3.0.72 * Theme Editor POC CC Style Configs * Fixed minor bug for base error class selector * Adding style config for hCaptcha and reCaptcha * Updating style for Buttons * Updating style for Footer * Updated style for Checkbox * Updating style for input components * Updating style for file input * Updating style for image * Updating style for radio button * Updating style for switch * Updating style for tnc * Updating style for captcha * Updating style for email and accordion * Updating style for wizard * Updating style for tabsontop * Updating style for vertical tabs * Updating style for panel container * Updating themeConfig of container * updating style for base * Updating ids for theme editor support * Updating reference to core components * Clientlib changes * Updating labels for UI * Removing GuideException * Additions in CheckboxGroup style config * Updating VERTICAL and HORIZONTAL classes for checkbox and radiobutton * Updating errormessage div styles for components * Updating error and success states for components --------- Co-authored-by: Shivam Agarwal <47965724+im-shiv@users.noreply.github.com> Co-authored-by: Shivam Agarwal <shivama@adobe.com> Co-authored-by: Rishi Mehta <69448117+rismehta@users.noreply.github.com> Co-authored-by: pavi41 <82104752+pavi41@users.noreply.github.com> Co-authored-by: Pavitra Khatri <pavitrakhatri@pavitras-mbp.corp.adobe.com> Co-authored-by: anshikag-adobe <anshikag@adobe.com> Co-authored-by: Rajat Khurana <30727855+rajatofficial@users.noreply.github.com> Co-authored-by: Rajat Khurana <rajatkhurana@adobe.com> Co-authored-by: Pankaj Girotra <126753223+girotraapankaj@users.noreply.github.com> Co-authored-by: Barshat Rai <barshatrai99@gmail.com> Co-authored-by: Rishi Mehta <rismehta@adobe.com> Co-authored-by: ci-build <ci-build@aemforms> Co-authored-by: Muskan Gupta <muskgupta@Muskans-MacBook-Pro.local>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.