fix(DHIS2-17668): sanitise HTML in table instead of showing it as encoded text #338
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🚀 Deployed on https://pr-338--dhis2-data-approval.netlify.app |
kabaros
force-pushed
the
fix/DHIS2-17668
branch
3 times, most recently
from
618145a to
76cc4d8
Compare
kabaros
force-pushed
the
fix/DHIS2-17668
branch
4 times, most recently
from
d2a0f63 to
0b01d22
Compare
kabaros
changed the title
kabaros
force-pushed
the
fix/DHIS2-17668
branch
3 times, most recently
from
bbc0b45 to
80be548
Compare
kabaros
force-pushed
the
fix/DHIS2-17668
branch
from
c88a8c2 to
91223a2
Compare
tomzemp
approved these changes
Aug 21, 2024
| <DataTableToolbar columns={columns.length}> | ||
| <span | ||
| dangerouslySetInnerHTML={{ | ||
| __html: DOMPurify.sanitize(title), |
There was a problem hiding this comment.
this seems like the title should not be HTML? Isn't this just the dataset name, and so if someone calls their dataset <h2>My data set</h2>, I guess they should get that string literal back? Not parsed HTML?
kabaros
force-pushed
the
fix/DHIS2-17668
branch
from
91223a2 to
86f6d0d
Compare
kabaros
force-pushed
the
fix/DHIS2-17668
branch
from
86f6d0d to
f4be462
Compare
Birkbjo
approved these changes
Aug 21, 2024
|
|
||
| // Needs to have the same width as the table, so can't use the one from | ||
| // @dhis2/ui | ||
| const DataTableToolbar = ({ children, columns }) => ( |
There was a problem hiding this comment.
Minor: It's not immediately obvious that columns is a number here. columnCount would be more descriptive maybe?
|
🎉 This PR is included in version 100.0.12 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes https://dhis2.atlassian.net/browse/DHIS2-17668
This PR updates the handling of custom datasets to allow display custom HTML and CSS - this is made safe by using
react-html-parser(similar to other applications like data-entry).We created a new component for displaying custom datasets, rather than sanitising all input, to avoid adding unnecessary overhead for the vast majority of usecases that don't use custom datasets.
Screenshots