-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: [M3-7990] - Replace sanitize-html with DOM friendly alternative #10378
Conversation
'title', | ||
'align', | ||
'class', | ||
'rel', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We allow them, but then we strip them all unless it is for <span class="version" />
This will be all cleaned up once we get rid of out eventMessageGenerator transformers, which is part of this epic
}, | ||
sanitizingTier: 'strict', | ||
text: localError || '', | ||
}).toString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to satisfy the types here with toString()
would love to confirm those changes are good with people familiar with this particular Firewall files. Maybe @carrillo-erik ?
KEEP_CONTENT: disallowedTagsMode === 'discard' ? false : true, | ||
RETURN_DOM: false, | ||
RETURN_DOM_FRAGMENT: false, | ||
RETURN_TRUSTED_TYPE: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RETURN_TRUSTED_TYPE: false,
see https://github.com/cure53/DOMPurify?tab=readme-ov-file#what-about-dompurify-and-trusted-types
node.removeAttribute('class'); | ||
} | ||
} | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
legacy handlers which I hope to get rid of soon once we refactor event generators
Coverage Report: β
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice. Feels good to finally get this taken care of. Thanks for taking it on!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed I see no more sea of yellow! π
Description π
This PR replaces
sanitize-html
with the DOM friendly, well supporteddompurify
package.https://github.com/cure53/DOMPurify
sanitize-html
is meant to run with NodeJS - aka on the server. This substitution standardizes our codebase and avoid potential issues running nodeJS modules (path
,FS
,url
,source-map-js
) in the browser while improving the developer experience as we're removing a large amount of warnings in the console.This PR is meant as a 1/1 replacement, meaning all tests should be passing and current sanitization in CM should be unaltered.
The bundled compressed size difference between both packages is negligible.
βΉοΈ Note: As a rule of thumb, sanitizing in the browser is only for the presentation layer. We don't want to get in the habit of sanitizing data we're sending to the API.
Changes π
List any change relevant to the reviewer.
sanitize-html
withdompurify
.Preview π·
No visual change
How to test π§ͺ
Prerequisites
yarn && yarn up
with current branchVerification steps
In order to check some of the areas where we sanitize HTML, use the content matches in the table below. It sahould give you a pretty good idea what area to check. Namely, events (notification dropdown & event page), tickets,
sanitizeHTML
utilHighlightedMarkdown
ComponentAs an Author I have considered π€
Check all that apply