Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce sanitizeHtml to sanitize markdown content #6523

Merged
merged 7 commits into from
Mar 4, 2022
Merged

Introduce sanitizeHtml to sanitize markdown content #6523

merged 7 commits into from
Mar 4, 2022

Conversation

AlexAndBear
Copy link
Contributor

@AlexAndBear AlexAndBear commented Mar 4, 2022
edited by fschade
Loading

Description

Bugfix: Prevent cross-site scripting attack while displaying space description

We've added a new package that strips out possible XSS attack code while displaying the space description

Related Issue

Motivation and Context

How Has This Been Tested?

  • test environment:
  • test case 1:
  • test case 2:
  • ...

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

Open tasks:

  • ...

@AlexAndBear AlexAndBear marked this pull request as ready for review March 4, 2022 08:23
@owncloud owncloud deleted a comment from update-docs bot Mar 4, 2022
@kulmann kulmann changed the title Introduce dompurify to sanitize markdown content Introduce sanitizeHtml to sanitize markdown content Mar 4, 2022
pascalwengerter
pascalwengerter approved these changes Mar 4, 2022
View reviewed changes
Copy link
Contributor

@pascalwengerter pascalwengerter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🧽

C0rby
C0rby approved these changes Mar 4, 2022
View reviewed changes
Copy link
Contributor

@C0rby C0rby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and seems to be working. I couldn't set off any XSS payload I tried. 💪

@ownclouders
Copy link
Contributor

Results for oCISTrashbinUploadMoveJourney https://drone.owncloud.com/owncloud/web/23265/69/1
The following scenarios passed on retry:

  • webUITrashbinRestore/trashbinRestore.feature:279
  • webUITrashbinRestore/trashbinRestore.feature:46

@sonarcloud
Copy link

sonarcloud bot commented Mar 4, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

44.4% 44.4% Coverage
0.0% 0.0% Duplication

@pascalwengerter pascalwengerter merged commit 1a1cd9b into master Mar 4, 2022
@delete-merged-branch delete-merged-branch bot deleted the fix-spaces-readme-xss-vulnerabilities branch March 4, 2022 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pascalwengerter pascalwengerter pascalwengerter approved these changes

@C0rby C0rby C0rby approved these changes

@kulmann kulmann kulmann approved these changes

@JammingBen JammingBen Awaiting requested review from JammingBen

@fschade fschade Awaiting requested review from fschade

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Inject javascript into markDown
5 participants
@AlexAndBear @ownclouders @kulmann @C0rby @pascalwengerter