Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Sanitize-html to 1.22.1 and remove unneeded patch #6227

Merged
merged 1 commit into from
Mar 25, 2020
Merged

Bump Sanitize-html to 1.22.1 and remove unneeded patch #6227

merged 1 commit into from
Mar 25, 2020

Conversation

Jskobos
Copy link
Contributor

@Jskobos Jskobos commented Mar 23, 2020

Description

Basically redoing #6143 with up-to-date lockfile etc.

Note to reviewers

Make sure that the old CSS injection attacks etc. don't work still and that HTML is escaped as expected in Support tickets.

I fixed the tests, but I'm not crazy about a lot of the ones that are still passing. We're making very specific assertions about string output, which could change any time this library releases a patch. We're also essentially unit testing an external library, which I understand the point since this is security related but I still think is unnecessary.

@Jskobos Jskobos self-assigned this Mar 23, 2020
acourdavault
acourdavault reviewed Mar 23, 2020
View reviewed changes
Copy link
Member

@acourdavault acourdavault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me,
Although I d like to have @johnwcallahan s review on the CSS injection as I am unsure if this decreases the security of this or not.

johnwcallahan
johnwcallahan approved these changes Mar 24, 2020
View reviewed changes
Copy link
Contributor

@johnwcallahan johnwcallahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works well. I agree with your assessment that the tests aren't very useful here. I think a few basic sanity tests are appropriate, but testing these specific strings is probably unnecessary. I can put together a follow-on PR if you like.

acourdavault
acourdavault approved these changes Mar 25, 2020
View reviewed changes
Copy link
Member

@acourdavault acourdavault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Jskobos
Copy link
Contributor Author

Jskobos commented Mar 25, 2020

Works well. I agree with your assessment that the tests aren't very useful here. I think a few basic sanity tests are appropriate, but testing these specific strings is probably unnecessary. I can put together a follow-on PR if you like.

@johnwcallahan if you don't mind that would be great. I tried a few expect(cleaned).not.toContain(<script>) things earlier but didn't come up with anything that I thought was useful

@Jskobos Jskobos merged commit 5d54f4a into linode:develop Mar 25, 2020
@Jskobos Jskobos deleted the M3-3913-sanitize-html branch March 25, 2020 18:29
@johnwcallahan johnwcallahan mentioned this pull request Mar 25, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnwcallahan johnwcallahan johnwcallahan approved these changes

@acourdavault acourdavault acourdavault approved these changes

Assignees

@Jskobos Jskobos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Jskobos @johnwcallahan @acourdavault