feat: vscode extension #4104
feat: vscode extension #4104
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <small | ||
| className="block text-neutral-600 italic overflow-hidden whitespace-nowrap overflow-ellipsis" | ||
| dangerouslySetInnerHTML={{ | ||
| __html: highlightMatch(index, search), |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
| title={item[displayBy]} | ||
| className="font-bold" | ||
| dangerouslySetInnerHTML={{ | ||
| __html: highlightMatch(item[displayBy], search), |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To fix the issue, we need to ensure that any HTML injected into the DOM via dangerouslySetInnerHTML is sanitized to prevent XSS. The best approach is to use a library like dompurify to sanitize the output of highlightMatch. This ensures that any potentially malicious input is neutralized before being rendered as HTML.
Steps to fix:
- Install the
dompurifylibrary if it is not already installed. - Import
dompurifyinto the file. - Use
DOMPurify.sanitizeto sanitize the output ofhighlightMatchbefore passing it todangerouslySetInnerHTML.
| @@ -1,2 +1,3 @@ | ||
| import React, { Fragment, useMemo, useRef, useState } from 'react' | ||
| import DOMPurify from 'dompurify' | ||
| import Input from '@/components/input/Input' | ||
| @@ -333,3 +334,3 @@ | ||
| dangerouslySetInnerHTML={{ | ||
| __html: highlightMatch(item[displayBy], search), | ||
| __html: DOMPurify.sanitize(highlightMatch(item[displayBy], search)), | ||
| }} |
| @@ -23,3 +23,4 @@ | ||
| "react-dom": "^19.0.0", | ||
| "tailwindcss": "^4.1.3" | ||
| "tailwindcss": "^4.1.3", | ||
| "dompurify": "^3.2.5" | ||
| }, |
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.5 | None |
benfdking
force-pushed
the
vscode_extension
branch
5 times, most recently
from
8a0b89e to
2673372
Compare
|
|
||
| import * as path from 'path' | ||
|
|
||
| const folderName = path.basename(__dirname) |
vscode/extension/src/common/setup.ts
Outdated
| export function loadServerDefaults(): IServerInfo { | ||
| const packageJson = path.join(EXTENSION_ROOT_DIR, 'package.json') | ||
| const content = fs.readFileSync(packageJson).toString() | ||
| const config = JSON.parse(content) |
| let rootWorkspace = workspaces[0] | ||
| let root = undefined | ||
| for (const w of workspaces) { | ||
| if (await fs.pathExists(w.uri.fsPath)) { |
There was a problem hiding this comment.
should we juts use pathExistsSync ?
| * | ||
| * @returns The sqlmesh executable for the current workspace. | ||
| */ | ||
| export const sqlmesh_exec = async (): Promise<Result<sqlmesh_exec, string>> => { |
| target="_blank" | ||
| rel="noopener noreferrer" | ||
| > | ||
| Learn React |
vscode/react/src/logo.svg
Outdated
| // Use a different variable name to avoid conflict with the parameter | ||
| const eventPayload = { | ||
| key: callbackName, | ||
| payload: payload, | ||
| } | ||
| window.parent.postMessage({ | ||
| key: "vscode_callback", | ||
| payload: eventPayload, | ||
| }, '*'); |
There was a problem hiding this comment.
maybe just use object directly payload: { ... }?
vscode/react/index.html
Outdated
| // You can import and use all API from the 'vscode' module | ||
| // as well as import your extension to test it | ||
| import * as vscode from 'vscode' | ||
| // import * as myExtension from '../../extension'; |
| if (message && message.key) { | ||
| if (message.key === "vscode_callback") { |
There was a problem hiding this comment.
i think you can just if (message?.key === "vscode_callback") { ... } else {}
| webviewView.webview.onDidReceiveMessage( | ||
| async (message) => { | ||
| console.log("message received", message); | ||
| if (message && message.key) { |
There was a problem hiding this comment.
should we have a dedicated ConsoleLog() function to use when we need to log something and treat native console.log as part of dev debugging that needs to be removed ?
| // synchronize: { | ||
| // fileEvents: workspace.createFileSystemWatcher('**/*.{sql,py}'), | ||
| // } |
| if (_api) { | ||
| return _api | ||
| } | ||
| _api = await PythonExtension.api() |
There was a problem hiding this comment.
maybe _api = _api || await PythonExtension.api()
| try { | ||
| const api = await getPythonExtensionAPI() | ||
|
|
||
| if (api) { | ||
| disposables.push( | ||
| api.environments.onDidChangeActiveEnvironmentPath(async (e) => { | ||
| const environment = await api.environments.resolveEnvironment(e.path) | ||
| const isVirtualEnv = environment?.environment !== undefined | ||
| const binPath = isVirtualEnv ? environment?.environment?.folderUri.fsPath : undefined | ||
|
|
||
| onDidChangePythonInterpreterEvent.fire({ | ||
| path: [e.path], | ||
| resource: e.resource?.uri, | ||
| isVirtualEnvironment: isVirtualEnv, | ||
| binPath | ||
| }) | ||
| }), |
There was a problem hiding this comment.
it is trying to catch Error initializing python and i think if await getPythonExtensionAPI() returns null that kinda like an error we want to catch here but having if (api) { prevents that
| const level = logLevelToTrace(channelLogLevel <= globalLogLevel ? channelLogLevel : globalLogLevel) | ||
| return level | ||
| } |
There was a problem hiding this comment.
maybe just return logLevelToTrace(channelLogLevel <= globalLogLevel ? channelLogLevel : globalLogLevel)
benfdking
force-pushed
the
vscode_extension
branch
8 times, most recently
from
5cc30c2 to
daa2f80
Compare
benfdking
force-pushed
the
vscode_extension
branch
4 times, most recently
from
cdb81d1 to
a019d1c
Compare
registered logging [ci skip] format works making progress making progress sharing node modules creating the docs progress getting react server to show making progress with the server temp get calling api now need to add lineage tab making progress on vscode lineage temp progress: showing the lineage graph [ci skip] cleaning up lineage [ci skip] added ability to open files temp [ci skip] trying to implement lsp [ci skip] temp [ci skip] test [ci skip] temp [ci skip] temp [ci skip] temp [ci skip]
benfdking
force-pushed
the
vscode_extension
branch
from
a019d1c to
9d2ab34
Compare
Initial scope: