Assorted security fixes needed to open source the SDK #532
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
tmeyer2115
commented
Mar 4, 2020
tmeyer2115
commented
- Removing templateUrl as an option from the SDK.
- Updating XSS vulnerabilities across multiple HBS templates.
…nk and footer text
…handlebars helper
Dropping support for passing in HTML to render a custom icon, users may still pass in a iconName to use one of library's built-in icons, or they may pass in a URL for a custom icon. Disallowing unescaped HTML in the Direct Answers component. Also escaping the HTML in test cases. TEST=manual,auto
Add a handlebars helper to escape HTML highlighted text in the Spellcheck and Autocomplete components, then format within the helper. Remove UI text formatting from autocomplete response data model. Update test cases so that they did not expect values with HTML in them. TEST=manual,auto
Remove templateUrl option from the SDK. This PR removes the templateUrl option from the SDK. This functionality led to a security vulnerability as we were dynamically adding a <script> tag to the page with whatever the templateUrl was. With this change, a client is still able to supply a custom bundle to Answers, but it must be done using the templateBundle attribute. If no templateBundle is supplied, we will fetch the default set of templates for the current release. TEST=manual Made sure that I could supply a custom bundle via templateBundle. Also made sure that if I did not supply a custom bundle, the default was fetched from the CDN.
alexisgrow
reviewed
Mar 4, 2020
| @@ -1,7 +1,7 @@ | |||
| /** @module */ | |||
|
|
|||
| /** The current lib version, reported with errors and analytics */ | |||
| export const LIB_VERSION = 'v0.13'; | |||
| export const LIB_VERSION = 'v0.12'; | |||
There was a problem hiding this comment.
Is this change intended?
There was a problem hiding this comment.
Yep, updating the LIB_VERSION should be the last commit of the release. Otherwise, we will be attempting to fetch the default set of compiled templates from a location that doesn't exist in the CDN: https://assets.sitescdn.net/answers/v0.13/answerstemplates.compiled.min.js
There was a problem hiding this comment.
Ahh, gotcha, that makes sense!
alexisgrow
approved these changes
Mar 4, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.