Skip to content

feat(security): strip html tags #2479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Feb 5, 2019
Merged

feat(security): strip html tags #2479

merged 13 commits into from
Feb 5, 2019

Conversation

pi0
Copy link
Member

@pi0 pi0 commented Jan 21, 2019
edited
Loading

Description of Pull Request:

Clarification letter: https://gist.github.com/pi0/674d49d5f1c2ccfe20d3b1e29ae7b497

Fixes #1974. Related to #2477.

PR checklist:

  • Prefer textContent and avoit innerHTML
  • Use stripTags in needed places
  • Prepare alternative slots

Does this PR introduce a breaking change? (check one)

  • Yes
  • No

If yes, please describe the impact:

Prevent's using HTML in mentioned areas. Users should alternatively use slots.

Components

* new props / slots

Essential:

  • dropdown > dropdown > text
    • Slot: button-content, text
    • Prop: *html
  • nav > nav-item-dropdown > text
    • Slot: button-content, text
    • Prop: *html
  • form-select > form-select > text
    • Slot: -
    • Prop: *html / *htmlField
  • input-group > input-group > prepend
    • Slot: -
    • Prop: *prependHTML
  • input-group > input-group > append
    • Slot: -
    • Prop: *appendHTML

Others:

  • card > card-footer > footer
    • Slot: -
    • Prop: *footerHTML
  • card > card-header > header
    • Slot: -
    • Prop: *headerHTML
  • carousel > carousel-slide > text
    • Slot: -
    • Prop: *textHTML
  • carousel > carousel-slide > caption
    • Slot: -
    • Prop: *captionHTML
  • jumbotron > jumbotron > header
    • Slot: header
    • Prop: *headerHTML
  • jumbotron > jumbotron > lead
    • Slot: lead
    • Prop: *leadHTML
  • modal > modal > title
    • Slot: modal-title
    • Prop: *titleHTML
  • modal > modal > cancelTitle
    • Slot: modal-cancel
    • Prop: *cancelTitleHTML
  • modal > modal > okTitle
    • Slot: modal-ok
    • Prop: *okTitleHTML
  • progress > progress-bar > label
    • Slot: default
    • Prop: *labelHTML
  • table > table > caption
    • Slot: table-caption
    • Prop: *captionHTML
  • table > table > label
    • Slot: FOOT_{key}, HEAD_{KEY}
    • Prop: *labelHTML
  • table > table > emptyFilteredText
    • Slot: emptyfiltered
    • Prop: *emptyFilteredHTML
  • table > table > emptyText
    • Slot: empty
    • Prop: *emptyHTML

Mixins

Essential:

  • form-options > text
    • Prop: html
  • form-radio-check-group > text
    • Prop: html

Others:

  • pagination > btnText
  • pagination > ellipsisText
  • pagination > prevText
  • pagination > prevText

@codecov
Copy link

codecov bot commented Jan 21, 2019
edited
Loading

Codecov Report

Merging #2479 into dev will increase coverage by 0.02%.
The diff coverage is 91.66%.

Impacted file tree graph

@@            Coverage Diff             @@
##              dev    #2479      +/-   ##
==========================================
+ Coverage   71.55%   71.57%   +0.02%     
==========================================
  Files         170      170              
  Lines        3227     3230       +3     
  Branches      913      914       +1     
==========================================
+ Hits         2309     2312       +3     
  Misses        666      666              
  Partials      252      252
Impacted Files Coverage Δ
src/components/form-select/form-select.js 52.38% <ø> (ø) ⬆️
src/components/card/card-header.js 100% <ø> (ø) ⬆️
src/mixins/dropdown.js 4.85% <ø> (ø) ⬆️
src/components/input-group/input-group.js 100% <ø> (ø) ⬆️
src/components/nav/nav-item-dropdown.js 85.71% <ø> (ø) ⬆️
src/mixins/form-radio-check-group.js 100% <ø> (ø) ⬆️
src/utils/tooltip.class.js 100% <ø> (ø) ⬆️
src/components/modal/modal.js 56.96% <ø> (ø) ⬆️
src/components/dropdown/dropdown.js 100% <ø> (ø) ⬆️
src/components/carousel/carousel-slide.js 93.33% <ø> (ø) ⬆️
... and 8 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1206628...baabdc8. Read the comment docs.

@mosinve
Copy link
Member

mosinve commented Jan 21, 2019

@pi0 Tooltips and popovers are broken

@pi0 pi0 mentioned this pull request Jan 21, 2019
Closed
@pi0 pi0 changed the title feat(security): strip html tags by default feat(security): strip html tags Jan 21, 2019
@pi0 pi0 removed the Status: WIP label Jan 21, 2019
@pi0 pi0 requested review from tmorehouse, mosinve and a team January 21, 2019 13:24
@pi0 pi0 merged commit 3c6ba3e into dev Feb 5, 2019
@pi0 pi0 deleted the hotfix/1974-dev branch February 5, 2019 22:15
@lianee
Copy link
Contributor

lianee commented Feb 10, 2019
edited
Loading

in Pagination, buttons default values (HTML entites) are showing as text: &laquo; &lsaquo; &hellip; &rsaquo; &raquo;

pi0 pushed a commit that referenced this pull request Feb 10, 2019
fix(pagination): fx esxaped chars (fixes #2479)
1efd59c 
Thanks to @lianee
@pi0
Copy link
Member Author

pi0 commented Feb 10, 2019
edited
Loading

@lianee fixed on dev

@woothu woothu mentioned this pull request Mar 11, 2019
Closed
@jacobmllr95 jacobmllr95 mentioned this pull request May 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmorehouse tmorehouse Awaiting requested review from tmorehouse

@mosinve mosinve Awaiting requested review from mosinve

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pi0 @mosinve @lianee