-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix innerHTML XSS vulnerability #341
Conversation
This is a breaking change, so a major version bump and upgrade notes would be needed in readme. |
Should we start a new |
I like the README approach. It also means that people that visit npm page would see the important upgrade instructions. |
This should be ready to review again! Please let me know if there's anything that should be changed for better code quality or styling. Thank you! |
Alright, I'm feeling good about this one 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
In summary:
- Existing Delta documents will loose their rendered HTML in
value
, but that is expected, as it may be currently polluted with XSS. - New Delta documents will only ever store String (plain text) in
value
- the documentation reflects it. - HTML rendering is still supported through the use of custom blots, that extend the default
MentionBlot
. They must implement arender
method that returns anElement
. Functionality of rendering HTML is maintained. - Furthermore, the use of custom blot name means that
mention
objects with customdata
payload will be explicitly handled by the custom blot, rather than the default one. - I could not find any new XSS vectors (except for the end user introducing one in their
render
method).
Good work!
Excellent job @csculley! I've now published version 4.0.0 to npm. |
Thank you so much!! |
Closes #255
This PR fixes the XSS vulnerability issues associated with using
innerHTML
.Please let me know if anything needs to be changed. Thank you!