[login] Add code sanitizer before dangerouslySetInnerHTML (#7491)

This adds DOMPurify to sanitize the code that is passed through dangerouslySetInnerHTML to avoid XSS vulnerabilities.
aces · Nov 30, 2022 · b932880 · b932880
1 parent 5ee4259
commit b932880
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/modules/#/jsx/#Index.js b/modules/#/jsx/#Index.js
@@ -5,6 +5,7 @@ import React, {Component} from 'react';
 import PropTypes from 'prop-types';
 import Loader from 'Loader';
 import Panel from 'Panel';
+import DOMPurify from 'dompurify';
 
 /**
  * Login form.
@@ -177,7 +178,9 @@ class Login extends Component {
     }
     if (this.state.mode === 'login') {
       const study = (
-        <div dangerouslySetInnerHTML={{__html: this.state.study.description}}/>
+        <div dangerouslySetInnerHTML={{
+          __html: DOMPurify.sanitize(this.state.study.description),
+        }}/>
       );
       const error = this.state.form.error.toggle ? (
         <StaticElement

diff --git a/package.json b/package.json
@@ -11,6 +11,7 @@
     "@babel/runtime": "^7.10.5",
     "@fortawesome/fontawesome-free": "^5.11.2",
     "copy-webpack-plugin": "^11.0.0",
+    "dompurify": "^2.2.9",
     "jstat": "^1.9.5",
     "papaparse": "^5.3.0",
     "prop-types": "^15.7.2",