-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Applies DOMSanitize.sanitize to innerHTML write #8388
Conversation
just accepted CLA |
6794ab6
to
de798d9
Compare
These eslint rules attempt to surface XSS sinks from eslint. This commit is a first pass on eclipse-theia#8398 Change-Id: I142bbba9785c4567dfbea1380f5a980560cf7413 Signed-off-by: LukeWood <[email protected]>
Any update on this one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry about the delay, I didn't get the notification 👍
The changes look good to me, thank you for taking care of it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LukeWood can you include the dompurify
dependency as part of @theia/plugin-ext
(at the moment it is only provided by @theia/preview
)? This will ensure that if a downstream app includes @theia/plugin-ext
and not @theia/preview
it will still work correctly.
@LukeWood would you like me to take care of the outstanding issue #8388 (review) so it can be merged? |
apologies - I didn't realize there were still outstanding issues. If you could do that it would be great - I though I pushed a local copy but I must be mistaken |
de798d9
to
53e363d
Compare
This commit sanitizes the text applied to innerHTML of the linkNode attribute on OpenUriCommandHandler. This is an attempt to limit the xss sink surface in Theia. If there is no reason to do so or this breaks some intended behavior please leave a comment indicating so. Change-Id: Ibee9829b3a44f87d15c9d46b9bc342332e5ccf08 Signed-off-by: Luke Wood <[email protected]>
53e363d
to
9cf33e3
Compare
No problem! I updated the pull-request to include the necessary dependencies in the |
This commit sanitizes the text applied to innerHTML of the linkNode
attribute on OpenUriCommandHandler. This is an attempt to limit the
xss sink surface in Theia.
If there is no reason to do so or this breaks some intended behavior
please leave a comment indicating so.
Signed-off-by: Luke Wood [email protected]
Change-Id: Ibee9829b3a44f87d15c9d46b9bc342332e5ccf08
What it does
sanitizes text assigned to innerHTML in an anchor element
How to test
This is not to address a specific bug - just a precaution.