SONAR-12236 Fix SSF-81

author Jeremy Davis <jeremy.davis@sonarsource.com>

Wed, 26 Jun 2019 12:34:26 +0000 (14:34 +0200)

committer sonartech <sonartech@sonarsource.com>

Fri, 28 Jun 2019 06:45:55 +0000 (08:45 +0200)
author Jeremy Davis <jeremy.davis@sonarsource.com>
Wed, 26 Jun 2019 12:34:26 +0000 (14:34 +0200)
committer sonartech <sonartech@sonarsource.com>
Fri, 28 Jun 2019 06:45:55 +0000 (08:45 +0200)
diff --git a/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx b/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx

index 09de825c56a7ee4e10c6c8cdec08e7e6cabd27cf..e58535bff9f75636c3e2b8775155fbf8221f0a0c 100644 (file)
--- a/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx
+++ b/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx
@@ -18,6 +18,7 @@
   * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   */
  import * as React from 'react';
+import { sanitize } from 'dompurify';
  import Avatar from '../../ui/Avatar';
  import Toggler from '../../controls/Toggler';
  import { EditButton, DeleteButton } from '../../ui/buttons';
@@ -89,8 +90,7 @@ export default class IssueCommentLine extends React.PureComponent<Props, State>
          </div>
          <div
            className="issue-comment-text markdown"
-          // Safe: Comes from the backend, after markdown transformation to html
-          dangerouslySetInnerHTML={{ __html: comment.htmlText }}
+          dangerouslySetInnerHTML={{ __html: sanitize(comment.htmlText) }}
          />
          <div className="issue-comment-age">
            <DateFromNow date={comment.createdAt} />
author	Jeremy Davis <jeremy.davis@sonarsource.com>
	Wed, 26 Jun 2019 12:34:26 +0000 (14:34 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Fri, 28 Jun 2019 06:45:55 +0000 (08:45 +0200)