Fixes open vulnerabilities for #38

[samschurter]

This should deal with the open CVEs referenced in #38, Dogfalo#6286, and Dogfalo#6331

Proposed changes

CVE-2019-11002 (tooltip component)

• Add the options text and unsafeHTML
• Change behavior of the data-tooltip attribute to set the text property instead of html (breaking change)
• Inject text as .textContent
• Append html/unsafeHTML as HTML
• If unsafeHTML is used, html will be ignored
• Updated docs to indicate that use of html is deprecated, and added warnings to unsafeHTML

CVE-2019-11004 (toast component)

• Add the options text and unsafeHTML
• Inject text as .textContent
• Append html/unsafeHTML as HTML
• If unsafeHTML is used, html will be ignored
• Updated docs to indicate that use of html is deprecated, and added warnings to unsafeHTML

CVE-2019-11003 (autocomplete component)

• Add allowUnsafeHTML option defaulting to false
• If user sets allowUnsafeHTML: true then behavior is unchanged
• If allowUnsafeHTML remains false, then the autocomplete data key is injected as textContent

Screenshots (if appropriate) or codepen:

Couldn't figure out how to do a codepen with the re-compiled javascript. If you clone the PR and compile it then the examples under test/html for autocomplete, toast, and tooltips will demonstrate the changes.

Types of changes

• Bug fix (non-breaking change which fixes an issue).
• New feature (non-breaking change which adds functionality).
• Breaking change (fix or feature that would cause existing functionality to change).

Checklist:

• I have read the CONTRIBUTING document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[movinglinguini]

Hey @samschurter I was wondering if you will resolve that conflict.

[samschurter]

@LAG1996 No, I don't think so. This is a dead PR. It was opened long before the pull request that caused that conflict, yet this PR has received no reviews. The people running this project now have no interest in fixing the vulnerabilities.

[DanielRuf]

The people running this project now have no interest in fixing the vulnerabilities.

Sorry but this is basically not true =)

[DanielRuf]

cc @materializecss/members

[Smankusors]

@LAG1996 No, I don't think so. This is a dead PR. It was opened long before the pull request that caused that conflict, yet this PR has received no reviews. The people running this project now have no interest in fixing the vulnerabilities.

I'm sorry, but I feel not confident about reviewing this one. Anyway, I see you created new tests. Should these... added to the Jasmine tests?

[Prepaid2Coin-Cory]

Would like to see this merged please. Even if it is BC 2 years is due time for a Major Semver.

[Prepaid2Coin-Cory]

cc: @DanielRuf

[DanielRuf]

Thanks for your contributions @samschurter.

CI is green and the relevant changes are documented. I also think we can move forward with this and finally break some setups.

Let's merge it.

[DanielRuf]

You should have received an invitation to join @materializecss as member and collaborator for https://materializecss/materialize.

[ChildishGiant]

Does anyone know how to flag the new version as having patched this advisory? That way NPM could run an automatic upgrade, although that probably shouldn't happen till 1.1.0 is stable.

[DanielRuf]

That way NPM could run an automatic upgrade, although that probably shouldn't happen till 1.1.0 is stable.

Not sure what you mean with "automatic upgrade". npm audit fix automatically installs the latest version afaik. The npmjs team creates advisories and defines the patched version there. Our fork is not officially affected because it is a different package.

See also https://github.com/materializecss/materialize/security/advisories

https://www.npmjs.com/advisories?page=7&perPage=100
https://www.npmjs.com/advisories/817
https://www.npmjs.com/advisories/818

[ChildishGiant]

This is from a project that's using our fork so it certainly is picked up by npm audit

[DanielRuf]

Does it use the v1.1.0-alpha?

What does npm ls materialize-css output?

[ChildishGiant]

ah, my mistake, I still had the old version installed. Removing that fixed this.

[AJLeonardi]

Hey Folks, I'm just moving over from the "old" materialize to this one and doing my regression testing. I'm seeing an issue with both the HTML and unsafeHTML flag for tooltips. Regardless of the option I choose, html is rendered as a string, rather than HTML.

I assume since the description for the unsafeHTML option is the same as the old HTML option support for HTML content wasn't deprecated entirely.

Any ideas on what my issue might be?

for initialization I've tried both:

var tt_options = {'html':true,};
var elem = document.querySelectorAll('.tooltipped');
var instance = M.Tooltip.init(elem, tt_options);

and

var tt_options = {'unsafeHTML':true,};
var elem = document.querySelectorAll('.tooltipped');
var instance = M.Tooltip.init(elem, tt_options);

[ChildishGiant]

Docs on how to use it can be found here: https://materializecss.github.io/materialize/toasts.html unsafeHTML is a string, not a bool.

[AJLeonardi]

thanks, @ChildishGiant

In my case tool tips are generated dynamically based on RSVP details in a DB. There could be dozens of them on the page.

With the old materialize in my jinja template I would just create the dynamic HTML within the data-tooltip attribute of each tooltipped <a> and globally initialize all the tooltips in one go using the approach above (which seems to be undocumented. setting data-html="true" on the tooltipped <a> also works).

This worked and it was simple and great. All the looping happened in the context of the object in my template and they were initialized with a single js call.

Now it seems I have to create unique IDs for each tooltip, generate the html in the <script> section with some-way to correlate it to the specific tooltip ID, and then write javascript to initialize each one individually (rather than a single line of js I did before).

Am I understanding that correctly, or am I missing something super obvious? Is there a way to include the html in another data- attribute and have the init grab that dynamically?

Imagine a world where the tooltip example here https://materializecss.com/tooltips.html showed different HTML contents (instead of just "I am a tooltip!") for each bottom, top, left, right buttons. Would you have to initialize each one separately?

Thanks!

[ilatypov]

Now it seems I have to create unique IDs for each tooltip, generate the html in the <script> section with some-way to correlate it to the specific tooltip ID, and then write javascript to initialize each one individually (rather than a single line of js I did before).

I checked the updated documentation
https://materializecss.github.io/materialize/tooltips.html

and the source code and I agree with the criticism. I guess the unsafeHTML fix needs an improvement by refactoring the programming interface. As of now, toasts require an onclick handler which is both clumsy and disagreeable with the Content Security Policy option allowing servers to disable inline scripts. The tooltips, on the other hand, look perfect in terms of initialization and handling, but the unsafeHTML option, instead of allowing all tooltips to be unsafe, allows only addition of a single unsafe HTML to all tooltips. So I guess toasts could use the same approach as tooltips in terms of initialization/handling, and then the unsafeHTML option needs changing from a string to a boolean. Perhaps, with the new paradigm, one does not have to worry about backward compatibility and one could use the unsafeHTML option name or even rename it.

[DanielRuf]

Hi @ilatypov,

thanks for your feedback. That sounds good and I agree with you. Any contribution is very welcome. If you have the time and want to help, you can provide a PR which improves this. As we still did not do a new stable release (https://github.com/materializecss/materialize/releases), breaking changes are fine.

[Skopea]

I notice that the changes have been merged, but I haven't seen a new release yet. Is v1.0.0 for materialize-css still the latest version? Am I overlooking something? What steps should I take to update the packages and address my vulnerabilities?

[FINDarkside]

@Skopea 2.0.3 is the latest version. https://www.npmjs.com/package/@materializecss/materialize

[mxdpeep]

I notice that the changes have been merged, but I haven't seen a new release yet. Is v1.0.0 for materialize-css still the latest version? Am I overlooking something? What steps should I take to update the packages and address my vulnerabilities?

looking at bad URL :)

https://github.com/materializecss/materialize/releases