Skip to content

Sanitize links in citation#5564

Merged
compulim merged 16 commits intomicrosoft:mainfrom
compulim:feat-markdown-in-citation
Sep 2, 2025
Merged

Sanitize links in citation#5564
compulim merged 16 commits intomicrosoft:mainfrom
compulim:feat-markdown-in-citation

Conversation

@compulim
Copy link
Copy Markdown
Contributor

@compulim compulim commented Aug 29, 2025
edited
Loading

Changelog Entry

Breaking changes

  • Root-level (unconnected) Claim entity is being deprecated, in PR #5564, by @compulim. It will be removed on or after 2027-08-29
    • Use entities[@id=""][@type="Message"].citation[@type="Claim"] instead

Added

Removed

  • Root-level (unconnected) Claim entity is being deprecated, in PR #5564, by @compulim. It will be removed on or after 2027-08-29
    • Use entities[@id=""][@type="Message"].citation[@type="Claim"] instead

Description

Adding sanitization to links used in citation. Also URL in Markdown reference style link is source-of-truth, the URL in Claim entity is treated as auxiliary/redundant.

Design

As sanitization is done by HTML content transformer, we are leveraging the HTML content transformer to detect whether links (HREFs) should be sanitized.

If web developers want to change what URL scheme is supported, they should modify the sanitization engine in the HTML content transformer.

Citation

There are 2 types of citation, and their behaviors:

  • Citation link (a link to the cited text)
    • If link is safe, the link will be available to tap
    • Otherwise, the link is unsafe and they will be removed from Markdown text and reference style link (a.k.a. footnote)
  • Non-URL citation (cited text is inline in the message activity)
    • Link is never presented

Single source of truth

For citation, the URL can be set at both Markdown reference style link and Claim entity.

If the are inconsistent, a warning will be presented and the URL from Markdown reference style is used as the source of truth.

In other word, the URL presented in Claim entity is always ignored.

For "plain text" channels such as email/SMS, they cannot use the Claim entity. Thus, Claim entity is always designed to be an auxiliary/redundant data.

Specific Changes

  • Updated .eslintrc.yml to detect <a> via react/forbid-elements rule
  • I have added tests and executed them locally
  • I have updated CHANGELOG.md
  • I have updated documentation

Review Checklist

This section is for contributors to review your work.

  • Accessibility reviewed (tab order, content readability, alt text, color contrast)
  • Browser and platform compatibilities reviewed
  • CSS styles reviewed (minimal rules, no z-index)
  • Documents reviewed (docs, samples, live demo)
  • Internationalization reviewed (strings, unit formatting)
  • package.json and package-lock.json reviewed
  • Security reviewed (no data URIs, check for nonce leak)
  • Tests reviewed (coverage, legitimacy)

@compulim compulim changed the title Sanitize links in citation [WIP] Sanitize links in citation Aug 29, 2025
@compulim compulim marked this pull request as ready for review August 29, 2025 23:48
@compulim compulim changed the title [WIP] Sanitize links in citation Sanitize links in citation Aug 29, 2025
@compulim compulim requested a review from Copilot August 29, 2025 23:48
Copilot AI reviewed Aug 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds link sanitization to citation components to prevent malicious links and enforces ESLint rules to prevent direct use of anchor elements. The changes establish Markdown reference-style links as the single source of truth for URLs over entity-defined URLs.

  • Implements centralized link sanitization through HTML content transformer
  • Adds ESLint rules to prevent direct <a> element usage
  • Updates citation logic to prefer Markdown URLs over entity URLs

Reviewed Changes

Copilot reviewed 13 out of 15 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
packages/component/src/hooks/internal/useSanitizeHrefCallback.ts New hook for sanitizing URLs using HTML content transformer
packages/component/src/LinkDefinition/LinkDefinitionItem.tsx Updated to use sanitized URLs and added prop validation
packages/component/src/Attachment/Text/private/MarkdownTextContent.tsx Major refactor to implement URL sanitization and single source of truth logic
packages/component/src/Attachment/FileContent.tsx Renamed variable for clarity and added ESLint disable comment
packages/component/src/ActivityStatus/private/Originator.tsx Added URL sanitization and prop validation
.eslintrc.react.yml Added ESLint rule to forbid direct anchor element usage
tests/html2/citation/ Test files for validating sanitization behavior

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@compulim compulim merged commit 3db56b7 into microsoft:main Sep 2, 2025
48 of 49 checks passed
@compulim compulim deleted the feat-markdown-in-citation branch September 2, 2025 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@OEvgeny OEvgeny OEvgeny approved these changes

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n a-b-r-o-w-n is a code owner

@cwhitten cwhitten Awaiting requested review from cwhitten cwhitten is a code owner

@srinaath srinaath Awaiting requested review from srinaath srinaath is a code owner

@tdurnford tdurnford Awaiting requested review from tdurnford tdurnford is a code owner

@beyackle2 beyackle2 Awaiting requested review from beyackle2

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@compulim @OEvgeny