Skip to content
This repository has been archived by the owner on Feb 23, 2024. It is now read-only.

Fix use of sanitizeHTML #7231

Merged
merged 9 commits into from
Oct 5, 2022
Merged

Fix use of sanitizeHTML #7231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a365e21
Remove object from sanitizeHTML return value
hsingyuc Sep 26, 2022
4d0daf7
Import sanitizeHTML from utils
hsingyuc Sep 26, 2022
8b30590
Fix dangerously set inner HTML format
hsingyuc Sep 26, 2022
ccabcbf
Update package-lock
hsingyuc Sep 26, 2022
b628487
Update package-lock
hsingyuc Sep 27, 2022
312d466
Update package-lock
hsingyuc Sep 29, 2022
fa7143e
Update @types/dompurify version
hsingyuc Oct 3, 2022
57e53de
Merge branch 'trunk' into fix/7230
hsingyuc Oct 4, 2022
1b98540
Merge branch 'trunk' into fix/7230
opr Oct 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion assets/js/base/components/cart-checkout/shipping-rates-control-package/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,9 @@ export const ShippingRatesControlPackage = ( {
{ ( showItems || collapsible ) && (
<div
className="wc-block-components-shipping-rates-control__package-title"
dangerouslySetInnerHTML={ sanitizeHTML( packageData.name ) }
dangerouslySetInnerHTML={ {
__html: sanitizeHTML( packageData.name ),
} }
/>
) }
{ showItems && (
Expand Down
17 changes: 2 additions & 15 deletions assets/js/base/context/providers/store-notices/components/store-notices-container.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
import PropTypes from 'prop-types';
import classnames from 'classnames';
import { Notice } from 'wordpress-components';
import { sanitize } from 'dompurify';
import { sanitizeHTML } from '@woocommerce/utils';
import { useDispatch, useSelect } from '@wordpress/data';
import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';

Expand All @@ -13,15 +13,6 @@ import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';
*/
import './style.scss';

const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];

const sanitizeHTML = ( html ) => {
return {
__html: sanitize( html, { ALLOWED_TAGS, ALLOWED_ATTR } ),
};
};

const getWooClassName = ( { status = 'default' } ) => {
switch ( status ) {
case 'error':
Expand Down Expand Up @@ -78,11 +69,7 @@ export const StoreNoticesContainer = ( {
}
} }
>
<span
dangerouslySetInnerHTML={ sanitizeHTML(
props.content
) }
/>
{ sanitizeHTML( props.content ) }
nielslange marked this conversation as resolved.
Show resolved Hide resolved
</Notice>
) ) }
</div>
Expand Down
19 changes: 6 additions & 13 deletions assets/js/utils/sanitize-html.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,20 @@
/**
* External dependencies
*/
import DOMPurify from 'dompurify';

type sanitizedHTMLObject = {
// eslint-disable-next-line @typescript-eslint/naming-convention
__html: string;
};
import { sanitize } from 'dompurify';

const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];

export const sanitizeHTML = (
html: string,
config?: { tags?: typeof ALLOWED_TAGS; attr?: typeof ALLOWED_ATTR }
): sanitizedHTMLObject => {
) => {
const tagsValue = config?.tags || ALLOWED_TAGS;
const attrValue = config?.attr || ALLOWED_ATTR;

return {
__html: DOMPurify.sanitize( html, {
ALLOWED_TAGS: tagsValue,
ALLOWED_ATTR: attrValue,
} ),
};
return sanitize( html, {
ALLOWED_TAGS: tagsValue,
ALLOWED_ATTR: attrValue,
} );
nielslange marked this conversation as resolved.
Show resolved Hide resolved
};
Loading