New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bugfix: Fix html special chars #1010
Conversation
This pull request is automatically deployed with Now. |
@yogeshsuhagiya I remade this PR for you. Please take over it for now. You should fill out the sections that are missing content in the PR description such as "Motivation and Context" and "How has this been tested". Providing this information makes it easier for us to understand your changes. Without it we will likely push this to the bottom of the stack and prioritize other issues that have more detail. |
@@ -73,7 +73,7 @@ class GalleryItem extends Component { | |||
{this.renderImage()} | |||
</Link> | |||
<Link to={resourceUrl(productLink)} className={classes.name}> | |||
<span>{name}</span> | |||
<span dangerouslySetInnerHTML={{ __html: name }} /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the right approach. It's a vector for XSS, and it doesn't reflect the purpose of this node (name
should be a utf-8
string, not HTML).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could probably close this PR and the associated issue then, right? Seems like it isn't a real bug if the data should be a utf-8
string already.
Product names should be Even if that weren't the case, though, we shouldn't just render database content as raw HTML, since that's what enables XSS. (If there are any other places in the app where that's happening, we should fix them.) |
Recreated based on #985.
Description
Fixed HTML special characters issue for the product name on the category page and product view page.
Related Issue
Closes #984
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Proposed Labels for Change Type/Package
Checklist: