Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dm-4880 XSS vulnerability fix 2 #1132

Merged
merged 1 commit into from
Nov 28, 2024
Merged

dm-4880 XSS vulnerability fix 2 #1132

merged 1 commit into from
Nov 28, 2024

Conversation

PhilipDeFraties
Copy link
Collaborator

@PhilipDeFraties PhilipDeFraties commented Nov 22, 2024
edited
Loading

JIRA issue link

https://agile6.atlassian.net/browse/DM-4880

Description - what does this code do?

in JS containing file upload logic for the "Implementation" tab of the innovation editor - adds lodash function escape to ensure safe encoding of chars rendered to html as filename to prevent xss vulnerability

Testing done - how did you test it/steps on how can another person can test it

go to the "Implementation" tab of the innovation editor and verify files can be uploaded as resource attachments and that the ui behaves as expected

Screenshots, Gifs, Videos from application (if applicable)

Link to mock-ups/mock ups (image file if you have it) (if applicable)

Acceptance criteria

  • [ ]

Definition of done

  • Unit tests written (if applicable)
  • e2e/accessibility tests written (if applicable)
  • Events are logged appropriately
  • Documentation has been updated, if applicable
  • A link has been provided to the originating JIRA issue
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs

@PhilipDeFraties
update function in practice_editor_utilities containing logic pertain…
863c97d 
…ing to file uploads for resource attachments on the implementation page

adds lodash function `escape` to ensure safe encoding of chars rendered to html as filename to prevent xss vulnerability
@PhilipDeFraties PhilipDeFraties self-assigned this Nov 22, 2024
@PhilipDeFraties PhilipDeFraties changed the title update function in practice_editor_utilities containing logic pertain… dm-4880 XSS vulnerability fix 2 Nov 22, 2024
@camillevilla camillevilla merged commit 4ccd27e into master Nov 28, 2024
3 of 4 checks passed
@camillevilla camillevilla deleted the dm-4880-fix-dom-text-reinterpret-codeql-warning-2 branch November 28, 2024 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camillevilla camillevilla camillevilla approved these changes

Assignees

@PhilipDeFraties PhilipDeFraties

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PhilipDeFraties @camillevilla