Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STRIPES-953 Only use DOMPurify's output if it changed something; export sanitize logic #81

Merged
merged 3 commits into from
Jan 14, 2025
Merged

STRIPES-953 Only use DOMPurify's output if it changed something; export sanitize logic #81

merged 3 commits into from
Jan 14, 2025

Conversation

zburke
Copy link
Member

@zburke zburke commented Jan 14, 2025

There are two pieces of work here:

  1. Only use DOMPurify's output if it changed something
  2. Export the sanitize logic

only use DOMPurify's output if it changed something

ReactQuill has a funny behavior- if the input value attribute is different from what it provided to its onChange handler, it will reset its cursor state and put it back at the beginning of the string. The HTML for links output by ReactQuill are generally not offensive, but reversing the attribute order during the value lifecycle resets the cursor repeatedly, even for non-offending templates...

DOMPurify also has a funny behavior, it reverses the attributes of any tag that you feed it.

This PR checks for any changes that DOMPurify would make to the string, and if there are none, it just uses the string...
A tempting alternative approach would be to just call DOMPurify.sanitize twice 🤢 and be done with it... it may come to that in the future.

I also added target and rel to sanitize settings to prevent unwanted removals from happening.

Export the sanitize logic

This makes it possible to sanitize the value at the module level, before it enters the loop/value lifecycle of the form. This allows us to get in front of any malicious/problematic values that were stored via API request (thus bypassing validation logic in the UI that would have prevented such values) and still uphold the UX of the editor.

The sanitize function requires the value (a string) and an optional override config for DOMPurify. The default configuration is adequate for handling the front-end capabilities of the editor.

import { sanitize } from 'stripes-template-editor';

const valueProp = sanitize(value);
// or
const valueProp = sanitize(value, overrideConfig);

Future work - flat-out remove the built-in sanitization in TemplateEditor.js

Refs STRIPES-953

JohnC-80 and others added 3 commits January 14, 2025 09:11
@JohnC-80 @zburke
Only use DOMPurify's output if it changed something (#78)
c109181 
(cherry picked from commit 266441e)
@JohnC-80 @zburke
Stripes 953v2 - Export sanitize logic for usage at the module level. (#…
522c976 
…79)

* Only use DOMPurify's output if it changed something

* export sanitize functionality for the module level so that sanitization can happen prior to the form state loop

* actually add sanitizer.js

* rename export to SANITIZE_CONFIG, document module-level sanitization

* docs tweaks

* document return type

* Update CHANGELOG.md

(cherry picked from commit 8071177)
@zburke
clarify CHANGELOG entry
7876db6
@zburke zburke merged commit 4af67ef into b3.4 Jan 14, 2025
13 checks passed
@zburke zburke deleted the STRIPES-953-v3.4 branch January 14, 2025 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zburke @JohnC-80