Removes uses of HTML injection in report #1226
Conversation
| @@ -62,15 +63,6 @@ class ReportGenerator { | |||
| return name.toLowerCase().replace(/\s/, '-'); | |||
| }); | |||
|
|
|||
| // Helper for either show an "✘" or "✔" booleans, or simply returning the | |||
| // value if it's of any other type. | |||
| Handlebars.registerHelper('getItemValue', value => { | |||
There was a problem hiding this comment.
we were no longer using this.
|
|
||
| // eslint-disable-next-line no-unused-vars | ||
| Handlebars.registerHelper('sanitize', function(str, opts) { | ||
| // const isViewer = opts.data.root.reportContext === 'viewer'; |
There was a problem hiding this comment.
kept this to remember how to do one offs for different contexts (possible future stuff)
|
nice this will be so much better! need to talk to youtube guy about the dependency? |
|
This version of marked js is checked into g3 third_party :)
…On Wed, Dec 28, 2016, 5:01 PM Patrick Hulce ***@***.***> wrote:
nice this will be so much better! need to talk to our YT google3 friend about the dependency?
|
|
@patrickhulce want to approve if LGTU? |
|
Landing this so the next release has the security improvements and others can move forward with audit changes without running into rebase issues. |
|
marked appears to add just 27kb to the final bundle size. That seems good to me!
👍 |
|
Yep, very small. That could potentially come down further if we tree shake some unused features out. |
|
Nice. Got an experimental branch up where we do minifying and and viewing this size report: https://github.com/GoogleChrome/lighthouse/compare/minified-sizereport |
* Beginning to use markdown in snippets * Allow links and code snippets * Update audits to use .md instead of html * Add tests
R: @brendankenny @patrickhulce all
Fixes #1188.
This PR:
{{{}}}, but keeps the ones where we control the input ({{{css}}}and{{{script}}}).markedas a dependency. This module is lightweight (<30kb) and produces the necessary sanitization we need to escape unwanted HTML that gets loaded in the viewer/report.helpTextanddescriptionsshorter and easier to author.{{sanitize variableName}}.@kaycebasques for the FYI as this changes audit help text from html to using markdown.