Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize HTML in @webiny/react-rich-text-renderer package #3477

Merged
merged 8 commits into from Aug 23, 2023
Merged

Sanitize HTML in @webiny/react-rich-text-renderer package #3477

merged 8 commits into from Aug 23, 2023

Conversation

mihajlovco
Copy link
Contributor

@mihajlovco mihajlovco commented Aug 15, 2023
edited by Pavel910

With this PR we want to sanitize the Editor.js content from the Headless CMS, to prevent the possibility of the XSS attack, since the default editor.js behavior allows you to write unescaped HTML in the editor, and have it executed in the browser.

Changes

  • added a new dependency for HTML sanitization: sanitize-html
  • added a configuration function configureSanitization, which allows developers to fine-tune the sanitization behavior
  • RichTextRenderer component also supports sanitization config via props, which can be used to fine-tune individual instances of the component, on top of the global configuration

How Has This Been Tested?

Manually.

@mihajlovco mihajlovco added work-in-progress (wip) The issue is not yet finished, please wait the author to confirm its definition is complete. bug labels Aug 15, 2023
@mihajlovco mihajlovco added this to the 5.37.2 milestone Aug 15, 2023
@mihajlovco mihajlovco self-assigned this Aug 15, 2023
@mihajlovco mihajlovco marked this pull request as draft August 15, 2023 11:31
mihajlovco and others added 2 commits August 17, 2023 10:19
@mihajlovco @adrians5j
feat: enable "scroll to element" links
b8e9f57 
Co-authored-by: Sasho Mihajlov <sashomihajlov@Sashos-MacBook-Pro.local>
Co-authored-by: adrians5j <adrian@webiny.com>
Merge branch 'dev' into sasho/fix/sanitize-react-rich-text-renderer
59b22c0
@mihajlovco mihajlovco changed the title (WIP)Sanitize react rich text renderer Sanitize react rich text renderer Aug 22, 2023
@mihajlovco mihajlovco removed the work-in-progress (wip) The issue is not yet finished, please wait the author to confirm its definition is complete. label Aug 22, 2023
@mihajlovco mihajlovco marked this pull request as ready for review August 22, 2023 13:15
@Pavel910 Pavel910 changed the title Sanitize react rich text renderer Sanitize HTML in @webiny/react-rich-text-renderer package Aug 23, 2023
@Pavel910 Pavel910 merged commit 8748bc5 into dev Aug 23, 2023
56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pavel910 Pavel910 Pavel910 approved these changes

Assignees

@mihajlovco mihajlovco

Labels
bug
Projects
None yet
Milestone
5.37.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mihajlovco @Pavel910