Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CB-4743 adds html sanitizer #2420

Merged
merged 5 commits into from
Mar 5, 2024
Merged

CB-4743 adds html sanitizer #2420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
00864bd
CB-4743 adds html sanitizer
Feb 27, 2024
16dde3e
CB-4743 adds license to sanitizeHtml
Feb 27, 2024
02e19ce
CB-4743 do not use sanitize to purify the json line data
Feb 27, 2024
7e6d937
CB-4743 fix: toSafeHtmlString test correct cases
Feb 27, 2024
97476ec
Merge branch 'devel' into CB-4743-remove-all-dangerously-set-inner-ht…
mr-anton-t Mar 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions webapp/packages/core-utils/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,4 @@ export * from './removeLineBreak';
export * from './replaceSubstring';
export * from './formatNumber';
export * from './withTimestamp';
export * from './toSafeHtmlString';
28 changes: 28 additions & 0 deletions webapp/packages/core-utils/src/toSafeHtmlString.test.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
* CloudBeaver - Cloud Database Manager
* Copyright (C) 2020-2024 DBeaver Corp and others
*
* Licensed under the Apache License, Version 2.0.
* you may not use this file except in compliance with the License.
*/
import { toSafeHtmlString } from './toSafeHtmlString';

describe('toSafeHtmlString', () => {
it('should make html string safe', () => {
const input = '<script>alert("some unsafe action")</script>';
const output = toSafeHtmlString(input);
expect(output).toBe('&lt;script&gt;alert("some unsafe action")&lt;/script&gt;');
});

it('should return empty string', () => {
const input = '';
const output = toSafeHtmlString(input);
expect(output).toBe('');
});

it('should return the same string', () => {
const input = 'some safe string';
const output = toSafeHtmlString(input);
expect(output).toBe(input);
});
});
14 changes: 14 additions & 0 deletions webapp/packages/core-utils/src/toSafeHtmlString.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
/*
* CloudBeaver - Cloud Database Manager
* Copyright (C) 2020-2024 DBeaver Corp and others
*
* Licensed under the Apache License, Version 2.0.
* you may not use this file except in compliance with the License.
*/
export function toSafeHtmlString(dirty: string): string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably better to use lib like dompurify to sanitize html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was my first solution. @Wroud suggested to generate a html safe string
in this case we kill 2 rabbits:

  • the code is not executable by browser
  • the user will see that something illegal happened in his JSON tab editor and start investigation what happened

image
image

const el = document.createElement('div');
el.innerText = el.textContent = dirty;
dirty = el.innerHTML;

return dirty;
}
Loading