Dynamic html needs to be sanetized #1387

bartbutenaers · 2024-10-12T06:01:17Z

Hi guys,

Our friend @dceejay has reviewed my pull-request for html labels. He correctly mentioned that I needed to sanetize the html. While implementing a fix, I saw that the same problem does exist in many other places.

The dom-purify library is currently only used for the v-html in the ui-markdown node. But not for the v-html attribute in the following files:

Not sure whether all of these might impose a security risk, but I assume it is better to have a look at all of them.

If you want I can have a look at this...

Bart

The text was updated successfully, but these errors were encountered:

m-schaeffler · 2024-10-12T08:36:31Z

👍

bartbutenaers · 2024-10-23T05:10:41Z

This has been implemented for all widgets. The remaining ones where about the documentation, but that seems not to be a security risk (see PR conversation). So for me this issue is completed.

joepavitt added this to Dashboard Backlog Oct 12, 2024

github-project-automation bot moved this to Backlog in Dashboard Backlog Oct 12, 2024

joepavitt added size:S - 2 Sizing estimation point priority:high High Priority labels Oct 12, 2024

joepavitt moved this from Backlog to Up Next in Dashboard Backlog Oct 12, 2024

bartbutenaers mentioned this issue Oct 12, 2024

Sanitize HTML Injections #1394

Merged

17 tasks

bartbutenaers closed this as completed Oct 23, 2024

github-project-automation bot moved this from Up Next to Done in Dashboard Backlog Oct 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dynamic html needs to be sanetized #1387

Dynamic html needs to be sanetized #1387

bartbutenaers commented Oct 12, 2024

m-schaeffler commented Oct 12, 2024

bartbutenaers commented Oct 23, 2024

Dynamic html needs to be sanetized #1387

Dynamic html needs to be sanetized #1387

Comments

bartbutenaers commented Oct 12, 2024

m-schaeffler commented Oct 12, 2024

bartbutenaers commented Oct 23, 2024