Skip to content

Enable dompurify trusted types #10273

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable dompurify trusted types #10273

wants to merge 1 commit into from

Conversation

Top-Cat
Copy link

@Top-Cat Top-Cat commented Feb 1, 2025

Add configuration option RETURN_TRUSTED_TYPE to DomPurify setup (https://github.com/cure53/DOMPurify?tab=readme-ov-file#what-about-dompurify-and-trusted-types)

Description

dangerouslySetInnerHTML will support this type automatically in place of a string.
I don't entirely understand why OAS3 trims the html and the base component doesn't but for now I've chosen to avoid updating a load of expected test values. Happy to change this if desired.

Motivation and Context

This allows enabling require-trusted-types-for in CSP to reduce XSS attack surface.

How Has This Been Tested?

Tested local dev server with both the default and an oas3 api (https://petstore3.swagger.io/api/v3/openapi.json)

Screenshots (if appropriate):

(Looks the same as before)

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

There are existing tests covering markdown rendering

@ponelat ponelat added the security fix Security fix generated by WhiteSource label Feb 21, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Top-Cat @ponelat