Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactors all bad usage of innerHTML out of our codebase #7242

Merged
merged 1 commit into from
Nov 30, 2023
Merged

Refactors all bad usage of innerHTML out of our codebase #7242

merged 1 commit into from
Nov 30, 2023

Conversation

jvigliotta
Copy link
Contributor

@jvigliotta jvigliotta commented Nov 16, 2023
edited
Loading

Closes

Describe your changes:

Applying these changes: #7144 to the base version of Open MCT used in OMM.

Functionality to Verify:

  • Flexible Layouts
    • can you drag and drop items into the layout
  • Plots
    • Overlay, Stacked, Standalone need regression tests

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Is this change backwards compatible? For example, developers won't need to change how they are calling the API or how they've extended core plugins such as Tables or Plots.

Author Checklist

  • Changes address original issue?
  • Tests included and/or updated with changes?
  • Command line build passes?
  • Has this been smoke tested?
  • Testing instructions included in associated issue OR is this a dependency/testcase change?

Reviewer Checklist

  • Changes appear to address issue?
  • Reviewer has tested changes by following the provided instructions?
  • Changes appear not to be breaking changes?
  • Appropriate automated tests included?
  • Code style and in-line documentation are appropriate?
  • Has associated issue been labelled unverified? (only applicable if this PR closes the issue)
  • Has associated issue been labelled bug? (only applicable if this PR is for a bug fix)

@jvigliotta jvigliotta requested a review from davetsay November 16, 2023 21:58
davetsay
davetsay reviewed Nov 17, 2023
View reviewed changes
Copy link
Contributor

@davetsay davetsay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. I'm going to ask @ozyx to review as he implemented this originally for the main code path.

@ozyx ozyx self-requested a review November 17, 2023 19:26
ozyx
ozyx reviewed Nov 17, 2023
View reviewed changes
Copy link
Contributor

@ozyx ozyx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me overall, but I would recommend pulling the changes to implement eslint-plugin-no-unsanitized as well to prevent this in the future. Tests are also failing for some CI-related reason.

evenstensberg
evenstensberg reviewed Nov 17, 2023
View reviewed changes
src/plugins/plot/chart/MctChart.vue
@@ -418,7 +421,10 @@ export default {
// Have to throw away the old canvas elements and replace with new
// canvas elements in order to get new drawing contexts.
const div = document.createElement('div');
div.innerHTML = this.canvasTemplate + this.canvasTemplate;
div.innerHTML = `
<canvas style="position: absolute; background: none; width: 100%; height: 100%;"></canvas>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about this innerhtml?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The vulnerability arises not just from assignment to innerHTML, but when that assignment contains variables that could potentially store user input. It can expose the app at some level to cross site scripting. So this one should be OK.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it

@davetsay
Copy link
Contributor

This looks good to me overall, but I would recommend pulling the changes to implement eslint-plugin-no-unsanitized as well to prevent this in the future. Tests are also failing for some CI-related reason.

This branch will dead end and in the next release we'll pick up from the main Open MCT so I'm going to merge this, @ozyx

@davetsay davetsay merged commit 3b28dd6 into omm-release/5.2 Nov 30, 2023
@davetsay davetsay deleted the sanitize-user-input branch November 30, 2023 18:06
@unlikelyzero unlikelyzero added this to the Target:OMM milestone Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davetsay davetsay davetsay left review comments

@ozyx ozyx ozyx left review comments

@evenstensberg evenstensberg evenstensberg left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Target:OMM
Development

Successfully merging this pull request may close these issues.
5 participants
@jvigliotta @davetsay @ozyx @evenstensberg @unlikelyzero