Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 #2129

Merged
merged 20 commits into from Nov 4, 2018
Merged

feat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 #2129

merged 20 commits into from Nov 4, 2018

Conversation

tmorehouse
Copy link
Member

@tmorehouse tmorehouse commented Nov 3, 2018
edited

Description of PR:

Utility for removing script tags from injected HTML (i.e. for use with v-html or domProps.innerHTML)

Prevents possible user supplied input form injecting scripts into the DOM

Fixes #1974
Fixes #1665

PR checklist:

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Enhancement to an existing feature
  • ARIA accessibility
  • Documentation update
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No

If yes, please describe the impact:

Scripts will no longer be injected into the DOM (i.e. from user supplied data or component props that support HTML)

The PR fulfills these requirements:

  • It's submitted to the dev branch, not the master branch
  • When resolving a specific issue, it's referenced in the PR's title (e.g. fixes #xxxx[,#xxxx], where "xxxx" is the issue number)

If new features/enhancement/fixes are added or changed:

  • Includes documentation updates
  • New/updated tests are included and passing (if required)
  • Existing test suites are passing
  • The changes have not impacted the functionality of other components or directives
  • ARIA Accessibility has been taken into consideration (does it affect screen reader users or keyboard only users?)

If adding a new feature, or changing the functionality of an existing feature, the PR's description includes:

  • A convincing reason for adding this feature (to avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it)

PR titles should following the Conventional Commits naming convention

@tmorehouse
Create utils/strip-sripts.js
ad85433 
Utility for removing script tags from injected HTML (i.e. for use with v-html or domProps.innerHTML)

Prevents user supplied input form injecting scripts into the DOM
@codecov
Copy link

codecov bot commented Nov 3, 2018
edited

Codecov Report

Merging #2129 into master will not change coverage.
The diff coverage is 77.77%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2129   +/-   ##
=======================================
  Coverage   60.83%   60.83%           
=======================================
  Files         154      155    +1     
  Lines        2885     2885           
  Branches      798      798           
=======================================
  Hits         1755     1755           
  Misses        812      812           
  Partials      318      318
Impacted Files Coverage Δ
src/components/input-group/input-group.js 100% <ø> (ø) ⬆️
src/components/modal/modal.js 23.47% <ø> (ø) ⬆️
src/components/button-group/button-group.js 100% <ø> (ø) ⬆️
src/components/dropdown/dropdown.js 100% <ø> (ø) ⬆️
src/components/jumbotron/jumbotron.js 100% <ø> (ø) ⬆️
src/mixins/form-options.js 61.11% <ø> (ø) ⬆️
src/components/card/card-body.js 100% <ø> (ø) ⬆️
src/components/nav/nav-item-dropdown.js 85.71% <ø> (ø) ⬆️
src/components/progress/progress-bar.js 90.47% <0%> (ø) ⬆️
src/mixins/pagination.js 58.87% <100%> (ø) ⬆️
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a6bfd67...356a5de. Read the comment docs.

@tmorehouse tmorehouse changed the title [WIP] feat: Strip HTML script tags before inserting content into DOM. Fixes #1974 [WIP] feat: Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 Nov 4, 2018
@tmorehouse tmorehouse changed the title [WIP] feat: Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 feat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 Nov 4, 2018
@tmorehouse tmorehouse merged commit 6dde0cb into master Nov 4, 2018
@tmorehouse tmorehouse deleted the tmorehouse/strip-scripts branch November 4, 2018 04:03
@tmorehouse tmorehouse mentioned this pull request Nov 4, 2018
Closed
@tmorehouse tmorehouse restored the tmorehouse/strip-scripts branch November 4, 2018 21:39
tmorehouse added a commit that referenced this pull request Nov 4, 2018
@tmorehouse
Revert "feat(security): Strip HTML script tags before inserting conte…
5461289 
…nt into DOM. Fixes #1974,#1665 (#2129)"

This reverts commit 6dde0cb.
@tmorehouse tmorehouse mentioned this pull request Nov 4, 2018
Merged
tmorehouse added a commit that referenced this pull request Nov 4, 2018
@tmorehouse
Revert "feat(security): Strip HTML script tags before inserting conte…
b994172 
…nt into DOM. Fixes #1974,#1665 (#2129)" (#2135)

This reverts commit 6dde0cb.

Reverts #2129

Merged onto master instead of dev by mistake
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Priority: Medium Type: Fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@tmorehouse