Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

console: sanitize html content for ansi-console-item #9339

Merged
merged 1 commit into from
Apr 19, 2021
Merged

console: sanitize html content for ansi-console-item #9339

merged 1 commit into from
Apr 19, 2021

Conversation

vince-fugnitto
Copy link
Member

What it does

Fixes: #8794

The following commit sanitizes the htmlContent used by the ansi-console to prevent cross-site-scripting (xss).
The commit makes use of DOMPurify.sanitize to sanitize the content of the html content.

How to test

Follow the steps provided in the #8794 video.
I confirmed that the dialog appears on master but not the pull-request when sanitization occurs.

Review checklist

Reminder for reviewers

Signed-off-by: vince-fugnitto vincent.fugnitto@ericsson.com

@vince-fugnitto
console: sanitize html content
cdf8ed8 
The following commit sanitizes the `htmlContent` used by the
`ansi-console` to prevent cross-site-scripting (xss).

The commit makes use of `DOMPurify.sanitize` to sanitize the content of
the html content.

Signed-off-by: vince-fugnitto <vincent.fugnitto@ericsson.com>
@vince-fugnitto vince-fugnitto added console issues related to the console security issues related to security labels Apr 13, 2021
@vince-fugnitto vince-fugnitto self-assigned this Apr 13, 2021
@marcdumais-work marcdumais-work mentioned this pull request Apr 13, 2021
Closed
@marcdumais-work marcdumais-work added this to the 1.13.0 milestone Apr 15, 2021
DucNgn
DucNgn approved these changes Apr 16, 2021
View reviewed changes
Copy link
Contributor

@DucNgn DucNgn left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirmed that the issue exists on master. With this PR, the dialog doesn't appear anymore.

paul-marechal
paul-marechal approved these changes Apr 19, 2021
View reviewed changes
Copy link
Member

@paul-marechal paul-marechal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@vince-fugnitto vince-fugnitto merged commit 6c285a8 into master Apr 19, 2021
@vince-fugnitto vince-fugnitto deleted the vf/console.fix branch April 19, 2021 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcdumais-work marcdumais-work marcdumais-work left review comments

@DucNgn DucNgn DucNgn approved these changes

@paul-marechal paul-marechal paul-marechal approved these changes

Assignees

@vince-fugnitto vince-fugnitto

Labels
console issues related to the console security issues related to security
Projects
None yet
Milestone
1.13.0
Development

Successfully merging this pull request may close these issues.

XSS in Debug Console [Theia v1.8.0]
4 participants
@vince-fugnitto @paul-marechal @marcdumais-work @DucNgn