Fix use of sanitizeHTML (woocommerce#7231)

* Remove object from sanitizeHTML return value * Import sanitizeHTML from utils * Fix dangerously set inner HTML format * Update package-lock * Update package-lock * Update package-lock * Update @types/dompurify version Co-authored-by: Thomas Roberts <[email protected]>
senadir · Nov 12, 2022 · 49a575a · 49a575a
1 parent 12d9f94
commit 49a575a
Show file tree

Hide file tree

Showing 4 changed files with 42,099 additions and 65,628 deletions.
diff --git a/assets/js/base/components/cart-checkout/shipping-rates-control-package/index.tsx b/assets/js/base/components/cart-checkout/shipping-rates-control-package/index.tsx
@@ -73,7 +73,9 @@ export const ShippingRatesControlPackage = ( {
 			{ ( showItems || collapsible ) && (
 				<div
 					className="wc-block-components-shipping-rates-control__package-title"
-					dangerouslySetInnerHTML={ sanitizeHTML( packageData.name ) }
+					dangerouslySetInnerHTML={ {
+						__html: sanitizeHTML( packageData.name ),
+					} }
 				/>
 			) }
 			{ showItems && (

diff --git a/assets/js/base/context/providers/store-notices/components/store-notices-container.js b/assets/js/base/context/providers/store-notices/components/store-notices-container.js
@@ -4,7 +4,7 @@
 import PropTypes from 'prop-types';
 import classnames from 'classnames';
 import { Notice } from 'wordpress-components';
-import { sanitize } from 'dompurify';
+import { sanitizeHTML } from '@woocommerce/utils';
 import { useDispatch, useSelect } from '@wordpress/data';
 import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';
 
@@ -13,15 +13,6 @@ import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';
  */
 import './style.scss';
 
-const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
-const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
-
-const sanitizeHTML = ( html ) => {
-	return {
-		__html: sanitize( html, { ALLOWED_TAGS, ALLOWED_ATTR } ),
-	};
-};
-
 const getWooClassName = ( { status = 'default' } ) => {
 	switch ( status ) {
 		case 'error':
@@ -78,11 +69,7 @@ export const StoreNoticesContainer = ( {
 						}
 					} }
 				>
-					<span
-						dangerouslySetInnerHTML={ sanitizeHTML(
-							props.content
-						) }
-					/>
+					{ sanitizeHTML( props.content ) }
 				</Notice>
 			) ) }
 		</div>

diff --git a/assets/js/utils/sanitize-html.ts b/assets/js/utils/sanitize-html.ts
@@ -1,27 +1,20 @@
 /**
  * External dependencies
  */
-import DOMPurify from 'dompurify';
-
-type sanitizedHTMLObject = {
-	// eslint-disable-next-line @typescript-eslint/naming-convention
-	__html: string;
-};
+import { sanitize } from 'dompurify';
 
 const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
 const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
 
 export const sanitizeHTML = (
 	html: string,
 	config?: { tags?: typeof ALLOWED_TAGS; attr?: typeof ALLOWED_ATTR }
-): sanitizedHTMLObject => {
+) => {
 	const tagsValue = config?.tags || ALLOWED_TAGS;
 	const attrValue = config?.attr || ALLOWED_ATTR;
 
-	return {
-		__html: DOMPurify.sanitize( html, {
-			ALLOWED_TAGS: tagsValue,
-			ALLOWED_ATTR: attrValue,
-		} ),
-	};
+	return sanitize( html, {
+		ALLOWED_TAGS: tagsValue,
+		ALLOWED_ATTR: attrValue,
+	} );
 };