Chore: Use DOMPurify to sanitize strings rather than js-xss #62787
Conversation
KristianGrafana
requested review from
a team,
ashharrison90,
JoaoSilvaGrafana,
academo,
codeincarnate and
mdvictor
and removed request for
a team
ryantxu
changed the title
ryantxu
changed the title
Yes, we will need that to be more lenient than just div -- i'm not sure what a reasonable limit list would be though |
@ryantxu Take a look at 84c6302 -- the This is fine to use in Text Panel's, but we should not use |
|
I'll add some tests next week where we should aim to replicate existing behavior. In particular I think:
|
|
@ryantxu Some changes are now pushed. |
|
@KristianGrafana -- this looks good to me, but I think @ashharrison90 and @mckn should ✅ before merging since this will likely cause some mysterious change/side effect in their domain and/or stream of issues we see. Can you
|
|
Nice one! 👏 @KristianGrafana @ryantxu I have pushed an extra test case to check if the markdown rendering does not remove any code blocks while sanitising the text, I hope you don't mind. (I guess it is something that we would like to support?) |
|
@ryantxu The latest commit adds comments in This means that now only @leventebalogh Thanks! I made some small changes to that test file since now markdown keeps sanitized content. |
KristianGrafana
requested review from
axelavargas and
kaydelaney
and removed request for
a team
|
Backend code coverage report for PR #62787 |
|
Frontend code coverage report for PR #62787
|
|
hi @KristianGrafana , the changes in the folder |
ryantxu
force-pushed
the
sanitize-with-dompurify
branch
from
17816ff
to
f0b1d36
Compare
| .replace(/</g, '<') | ||
| .replace(/>/g, '>') | ||
| .replace(/'/g, ''') | ||
| .replace(/\//g, '/') |
There was a problem hiding this comment.
@ryantxu why escape forward slash here? I don't see any other example of HTML escape doing that, and the browser does seem to do it either in (tested with this):
function escapeHtml(html){
var text = document.createTextNode(html);
var p = document.createElement('p');
p.appendChild(text);
return p.innerHTML;
}
There was a problem hiding this comment.
@torkelo (answering since this was my PR) -- This is part of security enhancement, forward slash could be considered unsafe as it could be used like this <img/src/onerror=alert()> which breaks out of context. Other things such as paths, comments and schemas (file://) also use forward slash which can be used when exploiting vulnerabilities.
Is encoding forward slash causing issues?
There was a problem hiding this comment.
@KristianGrafana no, just curious why it was added, could not find it in any other escapeHtml implementation (incl browser impl)
There was a problem hiding this comment.
@torkelo Understandable. It's a good question and it simply boils down to the context. In most implementations, / is not escaped as it has little to no impact of providing XSS protection. In odd corner cases escaping / might be helpful, but honestly, it might be a good idea to try to follow standards here.
|
I need to use return DOMPurify.sanitize(unsanitizedString, {
USE_PROFILES: { html: true },
FORBID_TAGS: ['form', 'input', 'pre'],
});27e2b03#diff-7c3fe444c88d3cc0c600cf945a13ce92e3932e054bee7e4cb8d53537fa9403d4R36 |
|
@darkleaf - that was to follow the policy that grafana/oncall uses. I can see that |
What is this feature?
This PR removes the use of the js-xss library in the
sanitizefunction and utilize DOMPurify for sanitation of content, such as user-supplied HTML.Furthermore, Markdown rendering will be sanitized with
js-xss. Also, more characters are being escaped in theescapeHtmlfunction.Why do we need this feature?
DOMPurify has better performance and features, such as support for Trusted Types. DOMPurify is also more widely used. DOMPurify tries to handle mXSS, prototype pollution, SVG-sanitation and DOM-clobbering among other types of XSS attacks.