Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[login] Add code sanitizer before dangerouslySetInnerHTML #7491

Merged
merged 2 commits into from
Nov 30, 2022
Merged

[login] Add code sanitizer before dangerouslySetInnerHTML #7491

merged 2 commits into from
Nov 30, 2022

Conversation

CamilleBeau
Copy link
Contributor

Brief summary of changes

This PR adds DOMPurify to sanitize the code that is passed through dangerouslySetInnerHTML to avoid XSS vulnerabilities.

Testing instructions (if applicable)

  1. Run npm install dompurify
  2. Before checking out this PR, edit and save the description field of GUI tab in the configuration module:
    <h3 onclick="alert('Attack message test')">Example Study Description</h3> (or something similar)
  3. Logout and try clicking on "Example Study Description" from the login page. You should see a message pop-up
  4. Checkout this PR and run make dev
  5. Try again to click on "Example Study Description" from the login page. You should now see no pop-up.
  6. Make sure that the intended html is still rendering (bold, titles, etc.)

@maltheism maltheism added the Needs Rebase PR contains conflicts with the current target branch or was issued to the wrong branch label Oct 17, 2022
@maltheism
Copy link
Member

Hi @CamilleBeau, I can approve after the conflicts are fixed.

@maltheism maltheism self-requested a review October 17, 2022 18:43
@maltheism maltheism added Passed Manual Tests PR has undergone proper testing by at least one peer and removed Needs Rebase PR contains conflicts with the current target branch or was issued to the wrong branch labels Oct 31, 2022
@maltheism maltheism added the Security PR patches a vulnerability, makes resource access changes, or updates dependencies label Nov 21, 2022
@CamilleBeau
Copy link
Contributor Author

CamilleBeau commented Nov 29, 2022
edited
Loading

@driusan @ridz1208 @maltheism Confirmed that benign html such as h4 tags still go through with dompurify. Ready for merge.

@driusan driusan merged commit b932880 into aces:main Nov 30, 2022
@laemtl laemtl mentioned this pull request Nov 30, 2022
Merged
driusan pushed a commit that referenced this pull request Dec 1, 2022
@laemtl
Add missing package in package-lock.json (#8246)
64926ed 
This fix the tests failure introduced by #7491, which was sent before the package-lock.json file was commited.
@ridz1208 ridz1208 added this to the 25.0.0 milestone Mar 6, 2023
@CamilleBeau CamilleBeau mentioned this pull request Mar 22, 2023
Merged
1 task
driusan pushed a commit that referenced this pull request Mar 28, 2023
@CamilleBeau
[documentation] Add to CHANGELOG (#8473)
1f3bb49 
Add changes for PR #7491 and PR #7772
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@maltheism maltheism maltheism approved these changes

Assignees
No one assigned
Labels
Passed Manual Tests PR has undergone proper testing by at least one peer Security PR patches a vulnerability, makes resource access changes, or updates dependencies
Projects
None yet
Milestone
25.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@CamilleBeau @maltheism @driusan @ridz1208