Prevent collab improperly clearing text blocks on save#311
Conversation
…if they need updating post-save
This changes behavior slightly as deleting everything will be considered a block update in some cases instead of a block removal
github-actions
bot
added
area/apps > hash*
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| throw new Error("Unexpected prosemirror structure"); | ||
| } | ||
|
|
||
| const draftEntity = entityStore.draft[node.attrs.draftId]; |
There was a problem hiding this comment.
Detected user input used in bracket notation accessor. This could lead to object injection through node.attrs.draftId, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input.
Click here if this comment is not useful
This comment is advisory. You do not need to address it before merging this pull request.
(javascript.lang.security.audit.detect-bracket-object-injection.detect-bracket-object-injection in Security Policy)
|
|
||
| // The current default for this is an empty string, not null. | ||
| return blockEntityId === "" ? null : blockEntityId; | ||
| const draftEntity = this.store.draft[blockEntityNode.attrs.draftId]; |
There was a problem hiding this comment.
Detected user input used in bracket notation accessor. This could lead to object injection through blockEntityNode.attrs.draftId, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input.
Click here if this comment is not useful
This comment is advisory. You do not need to address it before merging this pull request.
(javascript.lang.security.audit.detect-bracket-object-injection.detect-bracket-object-injection in Security Policy)
|
This pull request introduces 1 alert when merging f0d254a into 232e3ac - view on LGTM.com new alerts:
|
vilkinsons
added
type/eng > frontend
3 participants
🌟 What is the purpose of this PR?
This fixes a bug where the content of new text blocks is being improperly cleared on save. It does that by removing the
blockEntityIdattribute for Prosemirror nodes, which removes the need to update the Prosemirror document when creating blocks.It also re-enables the playwright test which was failing due to this bug.
You can see this bug occurring in https://app.replay.io/recording/59943358-a173-48d3-ac76-5fc778467eda, which was generated using a replay-enabled fork of Playwright. See replayio/playwright#9 (comment) for details.
Updating
blockEntityIdon save should not have cleared the content of the block, and it indicates something is going wrong with the application of actions. This is tracked by https://app.asana.com/0/1200211978612931/1201720874843710/f (internal).🐾 Next steps
We'll look at fixing the above in the future.
🔍 What does this change?
page-creation.spec.tshas been updated to re-enable the previous flaky test of rapid text insertion in new blocks which were disabled in Remove a few steps from Playwright tests to reduce CI flakiness #232isComponentNodenow detects component nodes by whether their node type belongs to thecomponentNodegroup, rather than by checking for ablockEntityIdattribute.componentNodeGroupNamevariable instead of duplicated all over the place.@types/prosemirror-modelhas been patched to make the groups field onNodeTypeavailable for use. This is incorrectly left out of the community types. [prosemirror-model]: NodeType is missing its groups property DefinitelyTyped/DefinitelyTyped#58892isComponentNodeTypehelper to check if a node type belongs to the component node group. Used byisComponentNodeBlockViewhas been updated to retrieve the entity id of the block (for the "link to block" functionality) by using the entity store and the draft id of the block entity node, instead of by using theblockEntityIdattribute of the component nodeComponentViewhas been update to get the entity id of the block from the entity store, instead of by using theblockEntityIdattribute of the component nodefindComponentNodeAPI which is used for finding a single component node within a containing node. The signature for this requires knowing the position of the containing node, so we can be sure the positions returned are absolute positions, and not relative to the containing nodefindComponentNodes. It doesn't need to know the position of the component node, but it did always only need to find a single component node within the block node, so it makes sense to use this instead of the one which returns all component nodes.findComponentNodesno longer returns the position of the nodes it findsfindComponentNodesrequired the positionfindComponentNodeswere always relative to the top level node given to it, rather than their absolute position in the document. If you pass a doc node tofindComponentNodes, they're the same thing, but it could lead to confusion so it was sensible to simplify the APIblockEntityIdfrom component nodes. Instead, it references block entity nodes and the entity store to calculate save operationsProsemirrorSchemaManagernow creates component nodes with no props, as no uses ofblockEntityIdremaingetComponentNodeAttrshas been removedwrapEntitiesPluginhas been updated to not have to removeblockEntityIdwhen text blocks are split in halfcreateComponentNodeSpecinstead of at its call site – specificallytoDOM.Instancehas been updated to no longer send Prosemirror steps setting theblockEntityIdof component nodes post-save, as it isn't used anymoresaveMapping📜 Does this require a change to the docs?
No
🔗 Related links
🛡 What tests cover this?
page-creation.spec.tsplaywright tests,"user can create page".❓ How to test this?
Run the playwright tests. This was never a bug we saw in person as it depended on speed.
You should also just ensure the general stability of the system in creating blocks, making changes and seeing them be persisted, and in linking to blocks.
📹 Demo
N/A