-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removes uses of HTML injection in report #1226
Conversation
@@ -62,15 +63,6 @@ class ReportGenerator { | |||
return name.toLowerCase().replace(/\s/, '-'); | |||
}); | |||
|
|||
// Helper for either show an "✘" or "✔" booleans, or simply returning the | |||
// value if it's of any other type. | |||
Handlebars.registerHelper('getItemValue', value => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we were no longer using this.
|
||
// eslint-disable-next-line no-unused-vars | ||
Handlebars.registerHelper('sanitize', function(str, opts) { | ||
// const isViewer = opts.data.root.reportContext === 'viewer'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kept this to remember how to do one offs for different contexts (possible future stuff)
nice this will be so much better! need to talk to youtube guy about the dependency? |
This version of marked js is checked into g3 third_party :)
…On Wed, Dec 28, 2016, 5:01 PM Patrick Hulce ***@***.***> wrote:
nice this will be so much better! need to talk to our YT google3 friend about the dependency?
|
@patrickhulce want to approve if LGTU? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry!
Landing this so the next release has the security improvements and others can move forward with audit changes without running into rebase issues. |
Yep, very small. That could potentially come down further if we tree shake some unused features out. |
Nice. Got an experimental branch up where we do minifying and and viewing this size report: https://github.com/GoogleChrome/lighthouse/compare/minified-sizereport |
* Beginning to use markdown in snippets * Allow links and code snippets * Update audits to use .md instead of html * Add tests
R: @brendankenny @patrickhulce all
Fixes #1188.
This PR:
{{{}}}
, but keeps the ones where we control the input ({{{css}}}
and{{{script}}}
).marked
as a dependency. This module is lightweight (<30kb) and produces the necessary sanitization we need to escape unwanted HTML that gets loaded in the viewer/report.helpText
anddescriptions
shorter and easier to author.{{sanitize variableName}}
.@kaycebasques for the FYI as this changes audit help text from html to using markdown.