New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): no warning when sanitizing escaped html (#9392) #9413
Conversation
Thanks for the PR! This looks conceptually fine (we want to compare to the input, not to the intermediate parsed state), and the test looks good, but I don't understand why it works. Shouldn't Any idea what's going on there? |
The problem is produced by these lines: First modifies the input so that it's no longer the initial value in some cases (as you can see |
Assume this code, from a DevTools console session: let d = document.createElement('div');
// <div></div>
let unsafeHtml = 'hello 🚀'; // the input to sanitize
d.innerHTML = unsafeHtml; // parse it
let safeHtml = d.innerHTML; // serialize it back
// "hello 🚀" -- safeHtml now contains the actual rocket character, unescaped.
safeHtml === unsafeHtml;
// false Turns out our code explicitly encodes entities in E.g. if you add a test case for |
The code you've just pasted is actually fine and reflects the situation except of naming. Look what
|
Could you add this test case and see what happens? t.it('supports sanitizing escaped entities', () => {
t.expect(sanitizeHtml('hellö')).toEqual('hellö');
t.expect(logMsgs).toEqual([]);
}); |
No problem. Here's the output:
Both I've expected before starting tests. |
So, do you think this change is worth it, given that we fundamentally cannot fix the problem? |
I think that fundamentally it works pretty well. Look, sanitizeHtml('hellö') gives you the output: t.it('supports sanitizing escaped entities', () => {
t.expect(sanitizeHtml('hellö')).toEqual('hellö');
t.expect(logMsgs).toEqual([]);
}); Now input and output are exactly the same. Both tests in this PR will succeed. However in the master second will fail because of warning message that should not be logged in this case. I think it's still worth to add because in current version the information is just misleading. Make sense? |
@@ -223,11 +223,11 @@ function stripCustomNsAttrs(el: any) { | |||
* Sanitizes the given unsafe, untrusted HTML fragment, and returns HTML text that is safe to add to | |||
* the DOM in a browser environment. | |||
*/ | |||
export function sanitizeHtml(unsafeHtml: string): string { | |||
export function sanitizeHtml(entryHtml: string): string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: could you rename this to unsafeHtmlInput
? It's kind of important here to keep track of what's safe and what isn't.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
We'll still warn people about effectively harmless changes (input changes that are not actually changing anything), but I can see your reasoning. Also, the change is harmless enough. Could you fix the parameter name? Otherwise good to go. |
Merged. Thanks for the contribution @wkwiatek! |
Thanks. You're welcome! |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Please check if the PR fulfills these requirements
What kind of change does this PR introduce? (check one with "x")
What is the current behavior? (You can also link to an open issue here)
#9392
What is the new behavior?
No warning when properly escaped html is passed to
sanitize
Does this PR introduce a breaking change? (check one with "x")
If this PR contains a breaking change, please describe the impact and migration path for existing applications: ...
Other information: