-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebUI: Sanitize user-input fields of PRs #8271
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great thanks!
I feel like we should probably go over other UI components and verify we do the same for user inputs
Also - please don't close the related issue (or alternatively open a new one)
Since we should potentially do this for the backend as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a fan. For instance, this prevents me from having a PR title "Fix <b> tags
":
- If I try to type it in, it helpfully purifies the first
<
and I get "Fix <b> tags
". - If you set it on the server directly through the API and I try to read it from the GUI, I see "
Fix <b> tags</b>
".
Neither is correct.
In fact I expect React {...}
to protect me! So I would also expect React-Bootstrap components to inherit this behaviour. This protection would would kinda protect some other bad website, or some broken component in our web UI, from failing, one that presumably runs React dangerouslySetInnerHTML
or simply allows HTML injection.
Additionally, this enforces that I cannot use the GUI to enter a string that we might fear. But I can still use the API to enter the exact same string.
Basically, I believe that clients need to protect themselves when reading code, correctly. Not sure this is the way ;-(
Closes #8203.
Change Description
Adding sanitize for user-input fields of a PR, to prevent malicious attacks.
Currently it's only relevant for title + description when creating a PR.
Using the very popular DOMPurify package.
Testing Details
Verified manually that PR creation still works.