Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add safety check for falsy sanitizer input. #29639

Closed
wants to merge 4 commits into from
Closed

Add safety check for falsy sanitizer input. #29639

wants to merge 4 commits into from

Conversation

peterblazejewicz
Copy link
Contributor

@peterblazejewicz peterblazejewicz commented Nov 4, 2019
edited by XhmikosR

When the input of sanitizer evaluates to false:

  • do not rely on assumed string length
  • default to empty string on falsy input

With that change the falsy input like null, undefined or empty string
should return the same results: empty string.

Thanks!

Fixes #29474

@peterblazejewicz
Add safety check for falsy sanitizer input. Fixes twbs#29474
2cbbbf7 
When the input of sanitizer evaluates to false:
- do not rely on assumed string length
- default to empty string on falsy input

With that change the falsy input like null, undefined or empty string
should return the same results: empty string.

Thanks!
@peterblazejewicz peterblazejewicz requested a review from a team as a code owner November 4, 2019 20:56
XhmikosR
XhmikosR reviewed Nov 5, 2019
View reviewed changes
js/src/util/sanitizer.js
@@ -92,8 +92,8 @@ export const DefaultWhitelist = {
}

export function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
if (!unsafeHtml.length) {
return unsafeHtml
if (!unsafeHtml || !unsafeHtml.length) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we just do !Boolean(unsafeHtml)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, done the reading and now I knew Boolean(...) is alrady used here in the source base. To be amended

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that way:

if (!Boolean(unsafeHtml) || !unsafeHtml.length) {

cannot be written, as there is a rule in ESLint config Redundant Boolean call.eslint(no-extra-boolean-cast), which fixes to expression I've used. Not sure what to do with this to not over engineer simple statement

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can just do !unsafeHtml? @Johann-S what do you prefer?

XhmikosR
XhmikosR reviewed Nov 5, 2019
View reviewed changes
js/src/util/sanitizer.js
if (!unsafeHtml.length) {
return unsafeHtml
if (!unsafeHtml || !unsafeHtml.length) {
return unsafeHtml || ''
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reason to return an empty string instead of false?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there is no JSDoc, I tried to read intent from:

  • empty string (String.lenght) returns empty string
  • sanitizeFn from docs recommends DOMPurify, which returns empty string always (we are using DOMPurify in one product, pretty sure here)
  • the return from the function itself, here is the string (innerHtml)

@XhmikosR
Copy link
Member

XhmikosR commented Nov 5, 2019

That issue is for v3 BTW. @Johann-S we should edit to mention if it happens in v4 and v5 (remove 3 since it's EOL) and mark this for backport

@XhmikosR XhmikosR changed the title Add safety check for falsy sanitizer input. Fixes #29474 Add safety check for falsy sanitizer input. Nov 5, 2019
Johann-S
Johann-S approved these changes Nov 12, 2019
View reviewed changes
Copy link
Member

@Johann-S Johann-S left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
And yes we can backport that in v4 too

@XhmikosR XhmikosR added this to Inbox in v5 via automation Nov 12, 2019
@XhmikosR XhmikosR added this to Inbox in v4.4.0 via automation Nov 12, 2019
@Johann-S
Copy link
Member

Hi @peterblazejewicz,

It seems it's impossible to pass undefined or null to the sanitizer because, our sanitizer is bundled in our components see: #29733

@XhmikosR XhmikosR removed this from Inbox in v4.4.0 Nov 25, 2019
@XhmikosR
Copy link
Member

XhmikosR commented Dec 6, 2019

Closing due to lack of response. You can comment here and we can re-open the PR, if you decide to resume working on the requested changes.

This is an automated reply

@XhmikosR XhmikosR closed this Dec 6, 2019
@XhmikosR XhmikosR removed this from Inbox in v5 Jan 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XhmikosR XhmikosR XhmikosR left review comments

@Johann-S Johann-S Johann-S approved these changes

Assignees
No one assigned
Labels
backport-to-v4 js v4 v5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tooltip#sanitizeHtml() missing null check
3 participants
@peterblazejewicz @XhmikosR @Johann-S