Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Sanitize HTML tooltips #2538

Merged
merged 7 commits into from
Aug 1, 2023
Merged

fix: Sanitize HTML tooltips #2538

merged 7 commits into from
Aug 1, 2023

Conversation

novakzaballa
Copy link
Contributor

@novakzaballa novakzaballa commented Jul 27, 2023
edited by dabeeeenster
Loading

Thanks for submitting a PR! Please check the boxes below:

  • I have run pre-commit to check linting
  • I have filled in the "Changes" section below?
  • I have filled in the "How did you test this code" section below?
  • I have used a Conventional Commit title for this Pull Request

Changes

DIsable HTML tooltips since they could cause XSS injection vulnerability

How did you test this code?

Manually.
Insert XSS code like "xss" as the label of a tag.
When hover over the tag, it should display simple text and not HTML.

@vercel
Copy link

vercel bot commented Jul 27, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 1, 2023 0:37am
flagsmith-frontend-preview ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 1, 2023 0:37am
flagsmith-frontend-staging ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 1, 2023 0:37am

@github-actions github-actions bot added the front-end Issue related to the React Front End Dashboard label Jul 27, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Jul 27, 2023
edited
Loading

Uffizzi Preview deployment-31973 was deleted.

@novakzaballa novakzaballa requested a review from kyle-ssg July 27, 2023 16:18
kyle-ssg
kyle-ssg reviewed Jul 27, 2023
View reviewed changes
frontend/web/components/Toolip.js Outdated
@@ -16,7 +16,7 @@ const Tooltip = class extends React.Component {
<span className='ion ion-ios-help' data-for={this.id} data-tip />
)}
<ReactTooltip
html
html={false}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only want to disable html for some usages, a lot of the times we use tooltips e.g. permissions uses html for tooltip content.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementing DOMPurify to sanitize the tooltip content since it removes XSS scripts but not HTML content.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per our conversation, proceeded to HTML encode the tag labels to escape HTML and display content as plain text.
Also, converted Tooltip code to Typescript functional component.

@dabeeeenster dabeeeenster requested a review from kyle-ssg July 31, 2023 14:07
@novakzaballa novakzaballa changed the title fix: disable HTML tooltips fix: Sanitize HTML tooltips Jul 31, 2023
kyle-ssg
kyle-ssg reviewed Aug 1, 2023
View reviewed changes
frontend/web/components/tags/Tag.tsx Outdated
@@ -47,6 +47,7 @@ const Tag: FC<TagType> = ({

return (
<Tooltip
htmlEncode
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we'd probably want to make the property naming of this a bit more clear.

I think plainText might be good since in this case you're wanting to make the tooltip content text rather than html.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, that was my first option but then I thought it was not descriptive enough :). Done

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, also fixed the component filename from toolip to tooltip.

@novakzaballa novakzaballa requested a review from kyle-ssg August 1, 2023 11:43
kyle-ssg
kyle-ssg reviewed Aug 1, 2023
View reviewed changes
frontend/web/components/Tooltip.tsx Outdated
children: string | JSX.Element | JSX.Element[] | (() => JSX.Element),
): string => {
const html = renderToStaticMarkup(
<StyledTooltip>{plainText ? children : '{{placeholder}}'}</StyledTooltip>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is {{placeholder}} supposed to be here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace with {{html}} for clarity, also, some issues with typescript were corrected

@novakzaballa novakzaballa requested a review from kyle-ssg August 1, 2023 12:47
@kyle-ssg kyle-ssg merged commit f68ea54 into main Aug 1, 2023
@kyle-ssg kyle-ssg deleted the fix/disable-html-on-tooltips branch August 1, 2023 12:52
@dabeeeenster dabeeeenster mentioned this pull request Aug 1, 2023
Merged
@dabeeeenster dabeeeenster mentioned this pull request Aug 22, 2023
Closed
This was referenced Aug 29, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyle-ssg kyle-ssg kyle-ssg approved these changes

Assignees

@novakzaballa novakzaballa

Labels
front-end Issue related to the React Front End Dashboard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@novakzaballa @kyle-ssg