Skip to content

Use safeHTML consistently #2653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
obenland merged 1 commit into from
Dec 17, 2025
Merged

Use safeHTML consistently #2653

obenland merged 1 commit into from
Dec 17, 2025

Conversation

@obenland
Copy link
Member

@obenland obenland commented Dec 17, 2025

Proposed changes:

  • Use safeHTML() consistently across all dangerouslySetInnerHTML usages

Other information:

  • Have you written new tests for your changes, if applicable?

N/A

Testing instructions:

  1. View the feed inspector with posts containing HTML content
  2. View the Follow Me block in the editor
  3. View the Extra Fields block
  4. Verify content displays correctly

@obenland
Add explicit HTML sanitization with safeHTML for defense-in-depth.
684c385 
Apply safeHTML() from @wordpress/dom to all dangerouslySetInnerHTML
usages to ensure frontend sanitization regardless of backend state.
Copilot AI review requested due to automatic review settings December 17, 2025 15:38
@obenland obenland added the Skip Changelog Disables the "Changelog Updated" action for PRs where changelog entries are not necessary. label Dec 17, 2025
@obenland obenland self-assigned this Dec 17, 2025
@obenland obenland added the Skip Changelog Disables the "Changelog Updated" action for PRs where changelog entries are not necessary. label Dec 17, 2025
@obenland obenland requested a review from a team December 17, 2025 15:38
@github-actions github-actions bot added [Block] Follow Me [Focus] Editor Changes to the ActivityPub experience in the block editor labels Dec 17, 2025
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by consistently applying the safeHTML() sanitization function from @wordpress/dom to all HTML content rendered via dangerouslySetInnerHTML across the codebase. This ensures that user-generated or external HTML content is properly sanitized before being rendered in the browser, reducing the risk of XSS (Cross-Site Scripting) vulnerabilities.

Key Changes:

  • Added safeHTML import from @wordpress/dom to three source files
  • Wrapped all dangerouslySetInnerHTML content with safeHTML() function calls
  • Updated corresponding build artifacts to reflect the source changes

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
src/follow-me/edit.js Added safeHTML import and wrapped profile summary HTML content with sanitization
src/extra-fields/edit.js Added safeHTML import and wrapped extra field values with sanitization
src/app/routes/feed/inspector.tsx Added safeHTML import, updated RenderHTML helper to sanitize decoded HTML, and improved documentation
build/follow-me/index.js Minified build artifact reflecting source changes
build/follow-me/index.asset.php Updated build version hash
build/extra-fields/index.js Minified build artifact with wp-dom dependency added
build/extra-fields/index.asset.php Updated dependencies to include 'wp-dom' and new version hash
build/app/index.js Minified build artifact reflecting source changes
build/app/index.asset.php Updated build version hash
build/app/feed-content.6f565d4e.js New build artifact with sanitization logic

The changes are well-implemented and consistent. All uses of dangerouslySetInnerHTML in the modified files now properly sanitize their content through safeHTML(). The PR successfully improves the security posture of the application without introducing any issues.

Comments suppressed due to low confidence (2)

build/app/feed-content.6f565d4e.js:4

  • Variable 't' is used before its declaration.
    build/app/feed-content.6f565d4e.js:4
  • This statement is unreachable.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pfefferle
pfefferle approved these changes Dec 17, 2025
View reviewed changes
Copy link
Member

@pfefferle pfefferle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@obenland obenland merged commit c35d956 into trunk Dec 17, 2025
16 checks passed
@obenland obenland deleted the fix/inspector-html-sanitization branch December 17, 2025 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pfefferle pfefferle pfefferle approved these changes

Assignees

@obenland obenland

Labels

[Block] Follow Me [Focus] Editor Changes to the ActivityPub experience in the block editor Skip Changelog Disables the "Changelog Updated" action for PRs where changelog entries are not necessary.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@obenland @pfefferle