-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assorted security fixes needed to open source the SDK #532
Conversation
tmeyer2115
commented
Mar 4, 2020
- Removing templateUrl as an option from the SDK.
- Updating XSS vulnerabilities across multiple HBS templates.
…nk and footer text
…handlebars helper
Dropping support for passing in HTML to render a custom icon, users may still pass in a iconName to use one of library's built-in icons, or they may pass in a URL for a custom icon. Disallowing unescaped HTML in the Direct Answers component. Also escaping the HTML in test cases. TEST=manual,auto
Add a handlebars helper to escape HTML highlighted text in the Spellcheck and Autocomplete components, then format within the helper. Remove UI text formatting from autocomplete response data model. Update test cases so that they did not expect values with HTML in them. TEST=manual,auto
Remove templateUrl option from the SDK. This PR removes the templateUrl option from the SDK. This functionality led to a security vulnerability as we were dynamically adding a <script> tag to the page with whatever the templateUrl was. With this change, a client is still able to supply a custom bundle to Answers, but it must be done using the templateBundle attribute. If no templateBundle is supplied, we will fetch the default set of templates for the current release. TEST=manual Made sure that I could supply a custom bundle via templateBundle. Also made sure that if I did not supply a custom bundle, the default was fetched from the CDN.
@@ -1,7 +1,7 @@ | |||
/** @module */ | |||
|
|||
/** The current lib version, reported with errors and analytics */ | |||
export const LIB_VERSION = 'v0.13'; | |||
export const LIB_VERSION = 'v0.12'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change intended?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, updating the LIB_VERSION should be the last commit of the release. Otherwise, we will be attempting to fetch the default set of compiled templates from a location that doesn't exist in the CDN: https://assets.sitescdn.net/answers/v0.13/answerstemplates.compiled.min.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, gotcha, that makes sense!