Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

amp-mustache: Output user errors when elements/attributes are sanitized #20285

Merged
merged 4 commits into from Jan 15, 2019
Merged

amp-mustache: Output user errors when elements/attributes are sanitized #20285

merged 4 commits into from Jan 15, 2019

Conversation

dreamofabear
Copy link

Fixes #17897.

@dreamofabear
Copy link
Author

/to @alabiaga

alabiaga
alabiaga approved these changes Jan 15, 2019
View reviewed changes
src/purifier.js
user().error(TAG, `Removed unsafe attribute: ${name}="${value}"`);
} else if (r.element) {
const {nodeName} = r.element;
if (nodeName !== 'REMOVE') { // <remove> is added by DOMPurify.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just combine nodeName check in the initial element check.

if (r.attribute) {
   const {name, value} = r.attribute;
   user().error(TAG, `Removed unsafe attribute: ${name}="${value}"`);
} else if (r.element && r.element.nodeName !== 'REMOVE') {
...
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reads more like prose to me:

// If an attribute is removed...
// Otherwise, if an element is removed...
//     If the element is <remove>...

test/integration/test-amp-bind.js
// Skip Edge, which throws "Permission denied" errors when inspecting
// element properties in the testing iframe (Edge 17, Windows 10).
describe.configure().skipEdge().run('amp-bind', function() {
// Give more than default 2000ms timeout for local testing.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should we keep this comment and move it to where you declared TIMEOUT.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're not referencing mochaTimeout anymore, so there's no need to refer to "default timeout".

@dreamofabear dreamofabear merged commit c0a185f into ampproject:master Jan 15, 2019
@dreamofabear dreamofabear deleted the dompurify-warnings branch January 15, 2019 18:28
@aghassemi aghassemi mentioned this pull request Jan 17, 2019
Closed
@joshcp joshcp mentioned this pull request Jan 23, 2019
Closed
@dreamofabear dreamofabear mentioned this pull request Jan 24, 2019
Merged
noranazmy pushed a commit to noranazmy/amphtml that referenced this pull request Mar 22, 2019
amp-mustache: Output user errors when elements/attributes are sanitiz…
2e76530 
…ed (ampproject#20285)

* Output user errors for elements/attrs sanitized by DOMPurify.

* Make sanitizer error format consistent.

* Add documentation with sanitization caveat.

* Increase timeout of test-amp-bind to 15s.
@dreamofabear dreamofabear mentioned this pull request Nov 13, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alabiaga alabiaga alabiaga approved these changes

Assignees
No one assigned
Labels
cla: yes PR use: In Beta / Experimental PR use: In Stable
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dreamofabear @alabiaga @googlebot @ampprojectbot