Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TextPanel: Sanitize after markdown has been rendered to html #46166

Merged
merged 2 commits into from Mar 3, 2022
Merged

TextPanel: Sanitize after markdown has been rendered to html #46166

merged 2 commits into from Mar 3, 2022

Conversation

ashharrison90
Copy link
Contributor

What this PR does / why we need it:

  • currently we sanitize our markdown string before converting it to html. this leads to bugs such as:
    image
  • instead, let's convert the markdown to html and sanitize after:
    image

Which issue(s) this PR fixes:

Fixes https://github.com/grafana/support-escalations/issues/2017

Special notes for your reviewer:

i'm pretty sure this is still as secure, but would appreciate 👀 from someone from a security perspective 😄

@ashharrison90 ashharrison90 added this to the 8.4.4 milestone Mar 3, 2022
@ashharrison90 ashharrison90 requested review from torkelo and a team March 3, 2022 14:00
@ashharrison90 ashharrison90 self-assigned this Mar 3, 2022
@ashharrison90 ashharrison90 requested review from joshhunt and JoaoSilvaGrafana and removed request for a team March 3, 2022 14:00
@ashharrison90 ashharrison90 requested a review from a team as a code owner March 3, 2022 14:15
joshhunt
joshhunt reviewed Mar 3, 2022
View reviewed changes
Copy link
Contributor

@joshhunt joshhunt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - just with a question around the changed test. I don't quite follow the change there.

e2e/dashboards-suite/dashboard-templating.spec.ts
@@ -27,7 +27,7 @@ e2e.scenario({
`Server:pipe = A'A"A|BB\\B|CCC`,
`Server:distributed = A'A"A,Server=BB\\B,Server=CCC`,
`Server:csv = A'A"A,BB\\B,CCC`,
`Server:html = A'A"A, BB\\B, CCC`,
`Server:html = A'A"A, BB\\B, CCC`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we expect this to change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think the old expectation is actually showing the bug 🤔
the variable value is defined as A'A"A,BB\B,CCC

the markdown in the text panel of that test is defined as:

* `Server:html` = `${Server:html}`

so when interpolated, we should have (step 1)

* `Server:html` = `A'A"A,BB\B,CCC`

and when converted to html it should be (step 2):

  • Server:html = A'A"A, BB\B, CCC

    • however with the old code, we sanitize the markdown string itself in step 1, giving:

    * `Server:html` = `A'A"A,BB\B,CCC`

    which leads to the html:

    • Server:html = A'A"A,BB\B,CCC

    @ashharrison90 ashharrison90 merged commit b1125c0 into main Mar 3, 2022
    @ashharrison90 ashharrison90 deleted the ash/text-panel-sanitizing branch March 3, 2022 16:50
    grafanabot pushed a commit that referenced this pull request Mar 3, 2022
    @ashharrison90 @grafanabot
    TextPanel: Sanitize after markdown has been rendered to html (#46166)
    5d44a39 
    * Sanitize after markdown has been rendered to html

* Update e2e test

(cherry picked from commit b1125c0)
    @grafanabot grafanabot mentioned this pull request Mar 3, 2022
    Merged
    ashharrison90 added a commit that referenced this pull request Mar 3, 2022
    @grafanabot @ashharrison90
    TextPanel: Sanitize after markdown has been rendered to html (#46166) (
    2058744 
    …#46185)

* Sanitize after markdown has been rendered to html

* Update e2e test

(cherry picked from commit b1125c0)

Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
    alexweav pushed a commit that referenced this pull request Mar 3, 2022
    @ashharrison90 @alexweav
    TextPanel: Sanitize after markdown has been rendered to html (#46166)
    ba613c1 
    * Sanitize after markdown has been rendered to html

* Update e2e test
    @joshhunt joshhunt mentioned this pull request Jun 14, 2023
    Merged
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @joshhunt joshhunt joshhunt left review comments

    @torkelo torkelo torkelo approved these changes

    @ryantxu ryantxu ryantxu approved these changes

    @JoaoSilvaGrafana JoaoSilvaGrafana Awaiting requested review from JoaoSilvaGrafana JoaoSilvaGrafana is a code owner automatically assigned from grafana/grafana-frontend-platform

    Assignees

    @ashharrison90 ashharrison90

    Labels
    add to changelog area/frontend area/panel/text backport v8.4.x Mark PR for automatic backport to v8.4.x type/bug
    Projects
    Grafana Frontend Platform
    Archived in project
    Milestone
    8.4.4
    Development

    Successfully merging this pull request may close these issues.

    None yet
    5 participants
    @ashharrison90 @torkelo @joshhunt @ryantxu @grafanabot