Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support Trusted Types #1575

Closed
shhnjk opened this issue Aug 5, 2020 · 2 comments · Fixed by #1614
Closed

Support Trusted Types #1575

shhnjk opened this issue Aug 5, 2020 · 2 comments · Fixed by #1614

Comments

@shhnjk
Copy link
Contributor

shhnjk commented Aug 5, 2020
edited
Loading

Bug Report

When Trusted Types is enabled on a website, following lines causes Trusted Types violation due to string assignment to a dangerous sink (i.e. innerHTML).

react-virtualized/source/vendor/detectElementResize.js

Lines 185 to 187 in aef3918

element.__resizeTriggers__.innerHTML =
'<div class="expand-trigger"><div></div></div>' +
'<div class="contract-trigger"></div>';

This can be prevented by changing those lines to something like:

var expandTriggerDiv = document.createElement('div');
expandTriggerDiv.class = 'expand-trigger';
expandTriggerDiv.appendChild(document.createElement('div'));
var contractTriggerDiv = document.createElement('div');
contractTriggerDiv.class = 'contract-trigger';
element.__resizeTriggers__.appendChild(expandTriggerDiv);
element.__resizeTriggers__.appendChild(contractTriggerDiv);

OR

var htmlString = 
  '<div class="expand-trigger"><div></div></div>' + 
  '<div class="contract-trigger"></div>';
if (window.trustedTypes) {
  var staticPolicy = trustedTypes.createPolicy(
    'react-virtualized-auto-sizer', {createHTML: () => htmlString});
  element.__resizeTriggers__.innerHTML = staticPolicy.createHTML('');
} else {
  element.__resizeTriggers__.innerHTML = htmlString;
}

Note that React already supports Trusted Types.
@shhnjk shhnjk mentioned this issue Aug 20, 2020
Closed
@shhnjk shhnjk mentioned this issue Nov 21, 2020
Merged
@shhnjk
Copy link
Contributor Author

shhnjk commented Nov 23, 2020

@wuweiweiwu, could you take a look at #1614 or #1608 to fix this issue? We are having deployment issue due to this bug. Thanks!

shhnjk added a commit that referenced this issue Dec 9, 2020
@shhnjk
Fix #1575: Create Trusted Type policy for assigning an HTML in detect…
dfc1190 
…ElementResize.js (#1614)

* Create Trusted Type policy for assigning an HTML

Co-authored-by: Jun Kokatsu <Jun.Kokatsu@microsoft.com>
@shhnjk
Copy link
Contributor Author

shhnjk commented Dec 9, 2020

@wuweiweiwu could you create a new v9.22.3 release with dfc1190?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create Trusted Type policy for assigning an HTML in detectElementResize.js
1 participant
@shhnjk