],
1
],
+ "react/forbid-component-props": [
+ "error",
+ {
+ "forbid": [
+ {
+ "propName": "dangerouslySetInnerHTML",
+ "message": "Use the SafeHTMLInjection component instead of 'dangerouslySetInnerHTML', to prevent CSS injection along other XSS attacks"
+ }
+ ]
+ }
+ ],
+ "react/forbid-dom-props": [
+ "error",
+ {
+ "forbid": [
+ {
+ "propName": "dangerouslySetInnerHTML",
+ "message": "Use the SafeHTMLInjection component instead of 'dangerouslySetInnerHTML', to prevent CSS injection along other XSS attacks"
+ }
+ ]
+ }
+ ],
"react/forbid-elements": [
"warn",
{
"rules": {
// Custom SonarCloud config that differs from eslint-config-sonarqube
"camelcase": "off",
+ "react/forbid-component-props": [
+ "error",
+ {
+ "forbid": [
+ {
+ "propName": "dangerouslySetInnerHTML",
+ "message": "Use the SafeHTMLInjection component instead of 'dangerouslySetInnerHTML', to prevent CSS injection along other XSS attacks"
+ }
+ ]
+ }
+ ],
+ "react/forbid-dom-props": [
+ "error",
+ {
+ "forbid": [
+ {
+ "propName": "dangerouslySetInnerHTML",
+ "message": "Use the SafeHTMLInjection component instead of 'dangerouslySetInnerHTML', to prevent CSS injection along other XSS attacks"
+ }
+ ]
+ }
+ ],
"react/jsx-sort-props": "error",
"react/jsx-pascal-case": [2, { "allowNamespace": true }],
"react/jsx-no-constructed-context-values": "error",
"d3-shape": "3.2.0",
"d3-zoom": "3.0.0",
"date-fns": "4.1.0",
+ "dompurify": "3.1.7",
"lodash": "4.17.21",
"react": "18.3.1",
"react-day-picker": "8.10.0",
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import styled from '@emotion/styled';
import classNames from 'classnames';
import hljs, { HighlightResult } from 'highlight.js';
import tw from 'twin.macro';
import { themeColor, themeContrast } from '../helpers/theme';
import { hljsIssueIndicatorPlugin, hljsUnderlinePlugin } from '../sonar-aligned';
+import { SafeHTMLInjection, SanitizeLevel } from '../sonar-aligned/helpers/sanitize';
hljs.registerLanguage('abap', abap);
hljs.registerLanguage('apex', apex);
escapeDom?: boolean;
htmlAsString: string;
language?: string;
+ sanitizeLevel?: SanitizeLevel;
wrap?: boolean | 'words';
}
return doc.documentElement.textContent ?? '';
};
-export function CodeSyntaxHighlighter(props: Props) {
- const { className, htmlAsString, language, wrap, escapeDom = true } = props;
+export function CodeSyntaxHighlighter(props: Readonly<Props>) {
+ const {
+ className,
+ escapeDom = true,
+ htmlAsString,
+ language,
+ sanitizeLevel = SanitizeLevel.FORBID_STYLE,
+ wrap,
+ } = props;
let highlightedHtmlAsString = htmlAsString;
htmlAsString.match(GLOBAL_REGEXP)?.forEach((codeBlock) => {
});
return (
- <StyledSpan
- className={classNames(
- `hljs ${className ?? ''}`,
- { 'code-wrap': wrap },
- { 'wrap-words': wrap === 'words' },
- )}
- // Safe: value is escaped by highlight.js
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: highlightedHtmlAsString }}
- />
+ <SafeHTMLInjection htmlAsString={highlightedHtmlAsString} sanitizeLevel={sanitizeLevel}>
+ <StyledSpan
+ className={classNames(
+ `hljs ${className ?? ''}`,
+ { 'code-wrap': wrap },
+ { 'wrap-words': wrap === 'words' },
+ )}
+ />
+ </SafeHTMLInjection>
);
}
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import styled from '@emotion/styled';
import { ElementType } from 'react';
import tw from 'twin.macro';
import { themeColor, themeContrast } from '../helpers/theme';
+import { SafeHTMLInjection } from '../sonar-aligned/helpers/sanitize';
interface TextBoldProps {
className?: string;
*/
export function TextBold({ match, name, className }: TextBoldProps) {
return match ? (
- <StyledText
- className={className}
- // Safe: comes from the search engine, that injects bold tags into component names
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: match }}
- />
+ <SafeHTMLInjection htmlAsString={match}>
+ <StyledText className={className} />
+ </SafeHTMLInjection>
) : (
<StyledText className={className} title={name}>
{name}
/** @deprecated Use Text (with `isSubdued` prop) from Echoes instead.
*/
-export function TextMuted({ text, className }: { className?: string; text: string }) {
+export function TextMuted({ text, className }: Readonly<{ className?: string; text: string }>) {
return (
<StyledMutedText className={className} title={text}>
{text}
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
export * from './colors';
export * from './constants';
export * from './keyboard';
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+import { render, screen } from '@testing-library/react';
+import {
+ SafeHTMLInjection,
+ sanitizeHTMLNoSVGNoMathML,
+ sanitizeHTMLRestricted,
+ sanitizeHTMLToPreventCSSInjection,
+ sanitizeHTMLUserInput,
+} from '../sanitize';
+
+/*
+ * Test code borrowed from OWASP's sanitizer tests
+ * https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/resources/org/owasp/html/htmllexerinput1.html
+ */
+const tainted = `<?xml version="not-even-close"?>
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+
+<!-- a test input for HtmlLexer -->
+
+<html lang="en" xml:lang="en">
+<head>
+<title>Test File For HtmlLexer & HtmlParser</title>
+<link rel=stylesheet type="text/css" src=foo/bar.css />
+<body
+ bgcolor=white
+ linkcolor = "blue"
+ onload="document.writeln(
+ "<p>properly escaped code in a handler</p>");"
+>
+
+<script type="text/javascript"><!--
+document.writeln("<p>Some initialization code in global context</p>");
+--></script>
+
+<script type="text/javascript">
+// hi there
+document.writeln("<p>More initialization</p>");
+</script>
+
+<div id=clickydiv onclick="handleClicky(event)"
+ ondblclick=this.onclick(event);return(false)>
+Clicky
+</div>
+
+<input id=foo>
+<gxp:attr name="onchange">alert("<b>hi</b>");</gxp:attr>
+</input>
+
+<pre><div id=notarealtag onclick=notcode()></pre>
+
+<!-- some tokenization corner cases -->
+
+< notatag <atag/>
+
+</ notatag> </redundantlyclosed/>
+
+<messyattributes a=b=c d="e"f=g h =i j= k l = m checked n="o"/>
+
+< < < all in one text block > > >
+
+<xmp>Make sure that <!-- comments don't obscure the xmp close</xmp>
+<% # some php code here
+write("<pre>$horriblySyntacticConstruct1</pre>\n\n");
+%>
+<script type="text/javascript"><!--
+alert("hello world");
+// --></script>
+
+<script>/* </script> */alert('hi');</script>
+<script><!--/* </script> */alert('hi');--></script>
+
+<xmp style=color:blue><!--/* </xmp> */alert('hi');--></xmp>
+
+<style><!-- p { contentf: '</style>' } --></style>
+<style>Foo<!-- > </style> --></style>
+<textarea><!-- Zoicks </textarea>--></textarea>
+<!-- An escaping text span start may share its U+002D HYPHEN-MINUS characters
+ - with its corresponding escaping text span end. -->
+<script><!--></script>
+<script><!---></script>
+<script><!----></script>
+
+This is <b>bold</b> and this is <i>italic</i> and this is <u>underlined</u>.
+<br />
+A <blockquote>quote</blockquote> and a <code>code</code> and a <pre>pre</pre>.
+An <h1>h1</h1> and an <h2>h2</h2> and an <h3>h3</h3> and an <h4>h4</h4> and an <h5>h5</h5> and an <h6>h6</h6>.
+An <ol><li>ol</li></ol> and a <ul><li>ul</li></ul> and a <p style="color:blue">p</p>.
+A <strong>strong</strong> and a <a href="foo" ping="pong" rel="noopener" target="__blank" >link</a>
+
+<a href="javascript:alert('hello')" target="_blank">this is wrong</a>
+
+<svg><text>SVG isn't always allowed</text></svg>
+
+<math xmlns="http://www.w3.org/1998/Math/MathML">
+ <infinity />
+</math>
+
+</body>
+</html>
+<![CDATA[ No such thing as a CDATA> section in HTML ]]>
+<script>a<b</script>
+<img src=foo.gif /><a href=><a href=/>
+<span title=malformed attribs' do=don't id=foo checked onclick="a<b">Bar</span>`;
+
+describe('sanitizeHTMLToPreventCSSInjection', () => {
+ it('should strip off style attributes', () => {
+ const clean = `
+ <div id="clickydiv">
+ Clicky
+ </div>
+ <input id="foo">
+ alert("<b>hi</b>");
+ <pre><div id=notarealtag onclick=notcode()></pre>
+ < notatag
+ < < < all in one text block > > >
+ <% # some php code here
+ write("<pre>$horriblySyntacticConstruct1</pre>
+ ");
+ %>
+ */alert('hi');
+ */alert('hi');-->
+ */alert('hi');--> ' } -->
+ -->
+ <textarea><!-- Zoicks </textarea>-->
+ This is <b>bold</b> and this is <i>italic</i> and this is <u>underlined</u>.
+ <br>
+ A <blockquote>quote</blockquote> and a <code>code</code> and a <pre>pre</pre>.
+ An <h1>h1</h1> and an <h2>h2</h2> and an <h3>h3</h3> and an <h4>h4</h4> and an <h5>h5</h5> and an <h6>h6</h6>.
+ An <ol><li>ol</li></ol> and a <ul><li>ul</li></ul> and a <p>p</p>.
+ A <strong>strong</strong> and a <a rel="noopener" href="foo">link</a>
+ <a>this is wrong</a>
+ <svg><text>SVG isn't always allowed</text></svg>
+ <math xmlns="http://www.w3.org/1998/Math/MathML">
+ </math>
+ section in HTML ]]>
+ <img src="foo.gif"><a href=""></a><a href="/">
+ <span checked="" id="foo" title="malformed">Bar</span></a>`;
+
+ expect(sanitizeHTMLToPreventCSSInjection(tainted).trimEnd().replace(/\s+/g, ' ')).toBe(
+ clean.replace(/\s+/g, ' '),
+ );
+ });
+});
+
+describe('sanitizeHTMLNoSVGNoMathML', () => {
+ it('should not allow MathML and SVG', () => {
+ const clean = `
+ <div id="clickydiv">
+ Clicky
+ </div>
+ <input id="foo">
+ alert("<b>hi</b>");
+ <pre><div id=notarealtag onclick=notcode()></pre>
+ < notatag
+ < < < all in one text block > > >
+ <% # some php code here
+ write("<pre>$horriblySyntacticConstruct1</pre>
+ ");
+ %>
+ */alert('hi');
+ */alert('hi');-->
+ */alert('hi');--> ' } -->
+ -->
+ <textarea><!-- Zoicks </textarea>-->
+ This is <b>bold</b> and this is <i>italic</i> and this is <u>underlined</u>.
+ <br>
+ A <blockquote>quote</blockquote> and a <code>code</code> and a <pre>pre</pre>.
+ An <h1>h1</h1> and an <h2>h2</h2> and an <h3>h3</h3> and an <h4>h4</h4> and an <h5>h5</h5> and an <h6>h6</h6>.
+ An <ol><li>ol</li></ol> and a <ul><li>ul</li></ul> and a <p>p</p>.
+ A <strong>strong</strong> and a <a rel="noopener" href="foo">link</a>
+ <a>this is wrong</a>
+ section in HTML ]]>
+ <img src="foo.gif"><a href=""></a><a href="/">
+ <span checked="" id="foo" title="malformed">Bar</span></a>`;
+
+ expect(sanitizeHTMLNoSVGNoMathML(tainted).trimEnd().replace(/\s+/g, ' ')).toBe(
+ clean.replace(/\s+/g, ' '),
+ );
+ });
+});
+
+describe('sanitizeHTMLUserInput', () => {
+ it('should preserve only specific formatting tags and attributes', () => {
+ const clean = `
+ Clicky
+ alert("<b>hi</b>");
+ <pre><div id=notarealtag onclick=notcode()></pre>
+ < notatag
+ < < < all in one text block > > >
+ <% # some php code here
+ write("<pre>$horriblySyntacticConstruct1</pre>
+ ");
+ %>
+ */alert('hi');
+ */alert('hi');-->
+ */alert('hi');--> ' } -->
+ -->
+ <!-- Zoicks -->
+ This is <b>bold</b> and this is <i>italic</i> and this is underlined.
+ <br>
+ A <blockquote>quote</blockquote> and a <code>code</code> and a <pre>pre</pre>.
+ An <h1>h1</h1> and an <h2>h2</h2> and an <h3>h3</h3> and an <h4>h4</h4> and an <h5>h5</h5> and an <h6>h6</h6>.
+ An <ol><li>ol</li></ol> and a <ul><li>ul</li></ul> and a <p>p</p>.
+ A <strong>strong</strong> and a <a rel="noopener" href="foo">link</a>
+ <a>this is wrong</a>
+ section in HTML ]]>
+ <a href=""></a><a href="/">
+ Bar</a>`;
+
+ expect(sanitizeHTMLUserInput(tainted).trimEnd().replace(/\s+/g, ' ')).toBe(
+ clean.replace(/\s+/g, ' '),
+ );
+ });
+});
+
+describe('sanitizeHTMLRestricted', () => {
+ it('should preserve only a very limited list of formatting tags and attributes', () => {
+ const clean = `
+ Clicky
+ alert("<b>hi</b>");
+ <div id=notarealtag onclick=notcode()>
+ < notatag
+ < < < all in one text block > > >
+ <% # some php code here
+ write("$horriblySyntacticConstruct1
+ ");
+ %>
+ */alert('hi');
+ */alert('hi');-->
+ */alert('hi');--> ' } -->
+ -->
+ <!-- Zoicks -->
+ This is <b>bold</b> and this is <i>italic</i> and this is underlined.
+ <br>
+ A quote and a <code>code</code> and a pre.
+ An h1 and an h2 and an h3 and an h4 and an h5 and an h6.
+ An <li>ol</li> and a <ul><li>ul</li></ul> and a <p>p</p>.
+ A <strong>strong</strong> and a <a href="foo">link</a>
+ <a>this is wrong</a>
+ section in HTML ]]>
+ <a href=""></a><a href="/">
+ Bar</a>`;
+
+ expect(sanitizeHTMLRestricted(tainted).trimEnd().replace(/\s+/g, ' ')).toBe(
+ clean.replace(/\s+/g, ' '),
+ );
+ });
+});
+
+describe('SafeHTMLInjection', () => {
+ it('should default to a span and the SanitizeLevel.FORBID_STYLE level', () => {
+ const tainted = `
+ <head>
+ <link rel=stylesheet type="text/css" src=foo/bar.css />
+ <style>some style</style>
+ </head>
+
+ <body>
+ <p style="color:blue">a stylish paragraph</p>
+
+ <svg><text>SVG isn't always allowed</text></svg>
+
+ <math xmlns="http://www.w3.org/1998/Math/MathML">
+ <infinity />
+ </math>
+ </body>
+ `;
+
+ render(<SafeHTMLInjection htmlAsString={tainted} />);
+
+ expect(screen.getByText('a stylish paragraph')).toBeInTheDocument();
+ expect(screen.getByText("SVG isn't always allowed")).toBeInTheDocument();
+ });
+});
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+export * from './sanitize';
export * from './tabs';
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+import dompurify from 'dompurify';
+
+import React from 'react';
+
+const { sanitize } = dompurify;
+
+export enum SanitizeLevel {
+ FORBID_STYLE, // minimum sanitation level to prevent CSS injections
+ FORBID_SVG_MATHML, // adds SVG and MathML exclusion
+ USER_INPUT, // adds restrictions on tags and attributes
+ RESTRICTED, // adds even more restrictions on tags and attributes
+}
+
+export const sanitizeFunctionByLevel = (sanitizeLevel: SanitizeLevel) =>
+ ({
+ [SanitizeLevel.FORBID_STYLE]: sanitizeHTMLToPreventCSSInjection,
+ [SanitizeLevel.FORBID_SVG_MATHML]: sanitizeHTMLNoSVGNoMathML,
+ [SanitizeLevel.USER_INPUT]: sanitizeHTMLUserInput,
+ [SanitizeLevel.RESTRICTED]: sanitizeHTMLRestricted,
+ })[sanitizeLevel];
+
+export const sanitizeHTMLToPreventCSSInjection = (htmlAsString: string) =>
+ sanitize(htmlAsString, {
+ FORBID_ATTR: ['style'],
+ FORBID_TAGS: ['style'],
+ });
+
+export function sanitizeHTMLNoSVGNoMathML(htmlAsString: string) {
+ return sanitize(htmlAsString, {
+ FORBID_ATTR: ['style'],
+ FORBID_TAGS: ['style'],
+ USE_PROFILES: { html: true },
+ });
+}
+
+export function sanitizeHTMLUserInput(htmlAsString: string) {
+ return sanitize(htmlAsString, {
+ ALLOWED_ATTR: ['href', 'rel'],
+ ALLOWED_TAGS: [
+ 'a',
+ 'b',
+ 'blockquote',
+ 'br',
+ 'code',
+ 'h1',
+ 'h2',
+ 'h3',
+ 'h4',
+ 'h5',
+ 'h6',
+ 'i',
+ 'li',
+ 'ol',
+ 'p',
+ 'pre',
+ 'strong',
+ 'ul',
+ ],
+ });
+}
+
+export function sanitizeHTMLRestricted(htmlAsString: string) {
+ return sanitize(htmlAsString, {
+ ALLOWED_ATTR: ['href'],
+ ALLOWED_TAGS: ['a', 'b', 'br', 'code', 'i', 'li', 'p', 'strong', 'ul'],
+ });
+}
+
+/**
+ * Safely injects HTML into an element with no risk of XSS attacks.
+ *
+ * @param children The React element to clone with the sanitized HTML (defaults to a `span`)
+ * @param htmlAsString The HTML string to sanitize and inject (required)
+ * @param sanitizeLevel The level of sanitation to apply (defaults to `SanitizeLevel.FORBID_STYLE`)
+ *
+ * @returns A React element with the sanitized HTML injected, and all other props preserved
+ *
+ * @example
+ * Here's a simple example with no children:
+ * ```
+ * <SafeHTMLInjection htmlAsString={taintedString} />
+ * ```
+ *
+ * @example
+ * Here's an example with a custom `sanitizeLevel` and a child `div`:
+ * ```
+ * <SafeHTMLInjection htmlAsString={taintedString} sanitizeLevel={SanitizeLevel.RESTRICTED}>
+ * // the HTML will be safely injected in the div below, with the className preserved:
+ * <div className="someClassThatWillBePreserved" />
+ * </SafeHTMLInjection>
+ * ```
+ */
+export const SafeHTMLInjection = ({
+ children,
+ htmlAsString,
+ sanitizeLevel = SanitizeLevel.FORBID_STYLE,
+}: Readonly<{
+ children?: React.ReactElement;
+ htmlAsString: string;
+ sanitizeLevel?: SanitizeLevel;
+}>) =>
+ React.cloneElement(children ?? <span />, {
+ dangerouslySetInnerHTML: { __html: sanitizeFunctionByLevel(sanitizeLevel)(htmlAsString) },
+ });
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import { Button, ButtonVariety } from '@sonarsource/echoes-react';
-import { FlagMessage, HtmlFormatter, Modal, Spinner } from 'design-system';
+import {
+ FlagMessage,
+ HtmlFormatter,
+ Modal,
+ SafeHTMLInjection,
+ SanitizeLevel,
+ Spinner,
+} from 'design-system';
import * as React from 'react';
import { dismissAnalysisWarning, getTask } from '../../../api/ce';
import withCurrentUserContext from '../../../app/components/current-user/withCurrentUserContext';
import { translate } from '../../../helpers/l10n';
-import { sanitizeStringRestricted } from '../../../helpers/sanitize';
import { TaskWarning } from '../../../types/tasks';
import { CurrentUser } from '../../../types/users';
<div className="sw-flex sw-items-center sw-mt-2">
<FlagMessage variant="warning">
<HtmlFormatter>
- <span
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{
- __html: sanitizeStringRestricted(message.trim().replace(/\n/g, '<br />')),
- }}
+ <SafeHTMLInjection
+ htmlAsString={message.trim().replace(/\n/g, '<br />')}
+ sanitizeLevel={SanitizeLevel.RESTRICTED}
/>
</HtmlFormatter>
</FlagMessage>
InputTextArea,
LabelValueSelectOption,
Note,
+ SafeHTMLInjection,
+ SanitizeLevel,
Switch,
} from 'design-system';
import * as React from 'react';
import { useAvailableFeatures } from '../../../app/components/available-features/withAvailableFeatures';
import DocumentationLink from '../../../components/common/DocumentationLink';
import { DocLink } from '../../../helpers/doc-links';
-import { sanitizeString } from '../../../helpers/sanitize';
import { useActivateRuleMutation } from '../../../queries/quality-profiles';
import { Feature } from '../../../types/features';
import { IssueSeverity } from '../../../types/issues';
/>
)}
{param.htmlDesc !== undefined && (
- <Note
- as="div"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
- />
+ <SafeHTMLInjection
+ htmlAsString={param.htmlDesc}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
+ >
+ <Note as="div" />
+ </SafeHTMLInjection>
)}
</FormField>
))
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import { HttpStatusCode } from 'axios';
import {
ButtonPrimary,
LabelValueSelectOption,
LightLabel,
Modal,
+ SafeHTMLInjection,
+ SanitizeLevel,
} from 'design-system';
import * as React from 'react';
import { Status } from '~sonar-aligned/types/common';
import { RULE_STATUSES } from '../../../helpers/constants';
import { csvEscape } from '../../../helpers/csv';
import { translate } from '../../../helpers/l10n';
-import { sanitizeString } from '../../../helpers/sanitize';
import { latinize } from '../../../helpers/strings';
import { useCreateRuleMutation, useUpdateRuleMutation } from '../../../queries/rules';
import {
value={actualValue}
/>
)}
+
{param.htmlDesc !== undefined && (
- <LightLabel
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
- />
+ <SafeHTMLInjection
+ htmlAsString={param.htmlDesc}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
+ >
+ <LightLabel />
+ </SafeHTMLInjection>
)}
</FormField>
);
ButtonSecondary,
CodeSyntaxHighlighter,
InputTextArea,
+ SanitizeLevel,
} from 'design-system';
import * as React from 'react';
import FormattingTips from '../../../components/common/FormattingTips';
import RuleTabViewer from '../../../components/rules/RuleTabViewer';
import { translate, translateWithParameters } from '../../../helpers/l10n';
-import { sanitizeUserInput } from '../../../helpers/sanitize';
import { useUpdateRuleMutation } from '../../../queries/rules';
import { RuleDetails } from '../../../types/types';
import RemoveExtendedDescriptionModal from './RemoveExtendedDescriptionModal';
{ruleDetails.htmlNote !== undefined && (
<CodeSyntaxHighlighter
className="markdown sw-my-6"
- htmlAsString={sanitizeUserInput(ruleDetails.htmlNote)}
+ htmlAsString={ruleDetails.htmlNote}
language={ruleDetails.lang}
+ sanitizeLevel={SanitizeLevel.USER_INPUT}
/>
)}
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-import { CellComponent, Note, SubHeadingHighlight, Table, TableRow } from 'design-system';
+
+import {
+ CellComponent,
+ Note,
+ SafeHTMLInjection,
+ SanitizeLevel,
+ SubHeadingHighlight,
+ Table,
+ TableRow,
+} from 'design-system';
import * as React from 'react';
import { translate } from '../../../helpers/l10n';
-import { sanitizeString } from '../../../helpers/sanitize';
import { RuleParameter } from '../../../types/types';
interface Props {
<CellComponent>
<div className="sw-flex sw-flex-col sw-gap-2">
{param.htmlDesc !== undefined && (
- <div
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
- />
+ <SafeHTMLInjection
+ htmlAsString={param.htmlDesc}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
+ >
+ <div />
+ </SafeHTMLInjection>
)}
{param.defaultValue !== undefined && (
<Note as="div">
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import styled from '@emotion/styled';
import {
DangerButtonPrimary,
LightLabel,
Modal,
PencilIcon,
+ SafeHTMLInjection,
+ SanitizeLevel,
TrashIcon,
themeBorder,
} from 'design-system';
import IssueChangelogDiff from '../../../components/issue/components/IssueChangelogDiff';
import Avatar from '../../../components/ui/Avatar';
import { translate, translateWithParameters } from '../../../helpers/l10n';
-import { sanitizeUserInput } from '../../../helpers/sanitize';
import { ReviewHistoryType } from '../../../types/security-hotspots';
import { Issue, IssueChangelog } from '../../../types/types';
import HotspotCommentModal from '../../security-hotspots/components/HotspotCommentModal';
onEditComment: (key: string, comment: string) => void;
}
-export default function IssueReviewHistory(props: HotspotReviewHistoryProps) {
+const getUpdatedChangelog = ({ changelog }: { changelog: IssueChangelog[] }) =>
+ changelog.map((changelogItem) => {
+ const diffHasIssueStatusChange = changelogItem.diffs.some((diff) => diff.key === 'issueStatus');
+
+ return {
+ ...changelogItem,
+ // If the diff is an issue status change, we remove deprecated status and resolution diffs
+ diffs: changelogItem.diffs.filter(
+ (diff) => !(diffHasIssueStatusChange && ['resolution', 'status'].includes(diff.key)),
+ ),
+ };
+ });
+
+export default function IssueReviewHistory(props: Readonly<HotspotReviewHistoryProps>) {
const { issue } = props;
const [changeLog, setChangeLog] = React.useState<IssueChangelog[]>([]);
const history = useGetIssueReviewHistory(issue, changeLog);
React.useEffect(() => {
getIssueChangelog(issue.key).then(
({ changelog }) => {
- const updatedChangelog = changelog.map((changelogItem) => {
- const diffHasIssueStatusChange = changelogItem.diffs.some(
- (diff) => diff.key === 'issueStatus',
- );
-
- return {
- ...changelogItem,
- // If the diff is an issue status change, we remove deprecated status and resolution diffs
- diffs: changelogItem.diffs.filter(
- (diff) => !(diffHasIssueStatusChange && ['resolution', 'status'].includes(diff.key)),
- ),
- };
- });
+ const updatedChangelog = getUpdatedChangelog({ changelog });
+
setChangeLog(updatedChangelog);
},
() => {},
<div className="sw-typo-semibold sw-mb-1">
<DateTimeFormatter date={date} />
</div>
+
<LightLabel as="div" className="sw-flex sw-gap-2">
{user.name && (
<div className="sw-flex sw-items-center sw-gap-1">
{type === ReviewHistoryType.Comment && key && html && markdown && (
<div className="sw-mt-2 sw-flex sw-justify-between">
- <CommentBox
- className="sw-pl-2 sw-ml-2 sw-typo-default"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeUserInput(html) }}
- />
+ <SafeHTMLInjection htmlAsString={html} sanitizeLevel={SanitizeLevel.USER_INPUT}>
+ <CommentBox className="sw-pl-2 sw-ml-2 sw-typo-default" />
+ </SafeHTMLInjection>
{updatable && (
<div className="sw-flex sw-gap-6">
size="small"
stopPropagation={false}
/>
+
<DestructiveIcon
Icon={TrashIcon}
aria-label={translate('issue.comment.delete')}
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import { Button, ButtonVariety } from '@sonarsource/echoes-react';
-import { FlagMessage, HtmlFormatter, Modal, Spinner } from 'design-system';
+import {
+ FlagMessage,
+ HtmlFormatter,
+ Modal,
+ SafeHTMLInjection,
+ SanitizeLevel,
+ Spinner,
+} from 'design-system';
import * as React from 'react';
import withCurrentUserContext from '../../../app/components/current-user/withCurrentUserContext';
import { translate } from '../../../helpers/l10n';
-import { sanitizeStringRestricted } from '../../../helpers/sanitize';
import { useDismissBranchWarningMutation } from '../../../queries/branch';
import { TaskWarning } from '../../../types/tasks';
import { Component } from '../../../types/types';
<div className="sw-flex sw-items-center sw-mt-2">
<FlagMessage variant="warning">
<HtmlFormatter>
- <span
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{
- __html: sanitizeStringRestricted(message.trim().replace(/\n/g, '<br />')),
- }}
+ <SafeHTMLInjection
+ htmlAsString={message.trim().replace(/\n/g, '<br />')}
+ sanitizeLevel={SanitizeLevel.RESTRICTED}
/>
</HtmlFormatter>
</FlagMessage>
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import styled from '@emotion/styled';
import {
DangerButtonPrimary,
LightLabel,
Modal,
PencilIcon,
+ SafeHTMLInjection,
+ SanitizeLevel,
TrashIcon,
themeBorder,
} from 'design-system';
import IssueChangelogDiff from '../../../components/issue/components/IssueChangelogDiff';
import Avatar from '../../../components/ui/Avatar';
import { translate, translateWithParameters } from '../../../helpers/l10n';
-import { sanitizeUserInput } from '../../../helpers/sanitize';
import { Hotspot, ReviewHistoryType } from '../../../types/security-hotspots';
import { getHotspotReviewHistory } from '../utils';
import HotspotCommentModal from './HotspotCommentModal';
onEditComment: (key: string, comment: string) => void;
}
-export default function HotspotReviewHistory(props: HotspotReviewHistoryProps) {
+export default function HotspotReviewHistory(props: Readonly<HotspotReviewHistoryProps>) {
const { hotspot } = props;
const history = getHotspotReviewHistory(hotspot);
const [editCommentKey, setEditCommentKey] = React.useState('');
{type === ReviewHistoryType.Comment && key && html && markdown && (
<div className="sw-mt-2 sw-flex sw-justify-between">
- <CommentBox
- className="sw-pl-2 sw-ml-2 sw-typo-default"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeUserInput(html) }}
- />
+ <SafeHTMLInjection htmlAsString={html} sanitizeLevel={SanitizeLevel.USER_INPUT}>
+ <CommentBox className="sw-pl-2 sw-ml-2 sw-typo-default" />
+ </SafeHTMLInjection>
{updatable && (
<div className="sw-flex sw-gap-6">
Card,
FlagMessage,
PageContentFontWrapper,
+ SafeHTMLInjection,
+ SanitizeLevel,
Title,
themeBorder,
themeColor,
import { Image } from '~sonar-aligned/components/common/Image';
import { Location } from '~sonar-aligned/types/router';
import { translate } from '../../../helpers/l10n';
-import { sanitizeUserInput } from '../../../helpers/sanitize';
import { getReturnUrl } from '../../../helpers/urls';
import { IdentityProvider } from '../../../types/types';
import LoginForm from './LoginForm';
)}
{message !== undefined && message.length > 0 && (
- <StyledMessage
- className="markdown sw-rounded-2 sw-p-4 sw-mb-6"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeUserInput(message) }}
- />
+ <SafeHTMLInjection htmlAsString={message} sanitizeLevel={SanitizeLevel.USER_INPUT}>
+ <StyledMessage className="markdown sw-rounded-2 sw-p-4 sw-mb-6" />
+ </SafeHTMLInjection>
)}
{identityProviders.length > 0 && (
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
import { Text, Tooltip } from '@sonarsource/echoes-react';
-import { SubHeading } from 'design-system';
+import { SafeHTMLInjection, SanitizeLevel, SubHeading } from 'design-system';
import * as React from 'react';
import { translateWithParameters } from '../../../helpers/l10n';
-import { sanitizeStringRestricted } from '../../../helpers/sanitize';
import { ExtendedSettingDefinition } from '../../../types/settings';
import { getPropertyDescription, getPropertyName } from '../utils';
</SubHeading>
{description && (
- <div
- className="markdown sw-mt-1"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeStringRestricted(description) }}
- />
+ <SafeHTMLInjection htmlAsString={description} sanitizeLevel={SanitizeLevel.RESTRICTED}>
+ <div className="markdown sw-mt-1" />
+ </SafeHTMLInjection>
)}
<Tooltip content={translateWithParameters('settings.key_x', definition.key)}>
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-import { BasicSeparator, Note, SubTitle } from 'design-system';
+
+import { BasicSeparator, Note, SafeHTMLInjection, SanitizeLevel, SubTitle } from 'design-system';
import { groupBy, sortBy } from 'lodash';
import * as React from 'react';
import { withRouter } from '~sonar-aligned/components/hoc/withRouter';
import { Location } from '~sonar-aligned/types/router';
-import { sanitizeStringRestricted } from '../../../helpers/sanitize';
import { SettingDefinitionAndValue } from '../../../types/settings';
import { Component } from '../../../types/types';
import { SUB_CATEGORY_EXCLUSIONS } from '../constants';
{subCategory.name}
</SubTitle>
)}
+
{subCategory.description != null && (
- <Note
- className="markdown"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{
- __html: sanitizeStringRestricted(subCategory.description),
- }}
- />
+ <SafeHTMLInjection
+ htmlAsString={subCategory.description}
+ sanitizeLevel={SanitizeLevel.RESTRICTED}
+ >
+ <Note className="markdown" />
+ </SafeHTMLInjection>
)}
+
<BasicSeparator className="sw-mt-6" />
<DefinitionsList
component={component}
HtmlFormatter,
InputTextArea,
PencilIcon,
+ SafeHTMLInjection,
+ SanitizeLevel,
themeBorder,
themeColor,
} from 'design-system';
import * as React from 'react';
import FormattingTipsWithLink from '../../../../components/common/FormattingTipsWithLink';
import { translate } from '../../../../helpers/l10n';
-import { sanitizeUserInput } from '../../../../helpers/sanitize';
import { DefaultSpecializedInputProps, getPropertyName } from '../../utils';
function InputForFormattedText(
) : (
<>
<HtmlFormatter>
- <FormattedPreviewBox
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{ __html: sanitizeUserInput(formattedValue ?? '') }}
- />
+ <SafeHTMLInjection
+ htmlAsString={formattedValue ?? ''}
+ sanitizeLevel={SanitizeLevel.USER_INPUT}
+ >
+ <FormattedPreviewBox />
+ </SafeHTMLInjection>
</HtmlFormatter>
<ButtonSecondary className="sw-mt-2" onClick={props.onEditing} icon={<PencilIcon />}>
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-import { Badge, Card, LinkBox, LinkIcon, SubHeading, Tabs } from 'design-system';
+
+import { Badge, Card, LinkBox, LinkIcon, SafeHTMLInjection, SubHeading, Tabs } from 'design-system';
import * as React from 'react';
import { queryToSearchString } from '~sonar-aligned/helpers/urls';
import { translate, translateWithParameters } from '../../../helpers/l10n';
{action.deprecatedSince && <DeprecatedBadge since={action.deprecatedSince} />}
</header>
- <div
- className="sw-mt-4 markdown"
- // Safe: comes from the backend
- dangerouslySetInnerHTML={{ __html: action.description }}
- />
+ <SafeHTMLInjection htmlAsString={action.description}>
+ <div className="sw-mt-4 markdown" />
+ </SafeHTMLInjection>
<div className="sw-mt-4">
<Tabs options={tabOptions} onChange={(opt) => setTab(opt)} value={tab} />
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-import { SubTitle } from 'design-system';
+
+import { SafeHTMLInjection, SubTitle } from 'design-system';
import { isEmpty } from 'lodash';
import * as React from 'react';
import { WebApi } from '../../../types/types';
</header>
{!isEmpty(domain.description) && (
- <div
- className="sw-mt-3 markdown"
- // Safe: comes from the backend
- dangerouslySetInnerHTML={{ __html: domain.description }}
- />
+ <SafeHTMLInjection htmlAsString={domain.description}>
+ <div className="sw-mt-3 markdown" />
+ </SafeHTMLInjection>
)}
<div className="sw-mt-4 sw-flex sw-flex-col sw-gap-4">
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
-import { ContentCell, DarkLabel, HtmlFormatter, Note, Table, TableRow } from 'design-system';
+
+import {
+ ContentCell,
+ DarkLabel,
+ HtmlFormatter,
+ Note,
+ SafeHTMLInjection,
+ Table,
+ TableRow,
+} from 'design-system';
import * as React from 'react';
import { translate, translateWithParameters } from '../../../helpers/l10n';
import { WebApi } from '../../../types/types';
{this.renderKey(param)}
<ContentCell>
- <div
- className="markdown"
- // Safe: comes from the backend
- dangerouslySetInnerHTML={{ __html: param.description }}
- />
+ <SafeHTMLInjection htmlAsString={param.description}>
+ <div className="markdown" />
+ </SafeHTMLInjection>
</ContentCell>
<ContentCell>
CodeSyntaxHighlighter,
FlagMessage,
HtmlFormatter,
+ SanitizeLevel,
ToggleButton,
themeBorder,
themeColor,
import { RuleDescriptionSection, RuleDescriptionSections } from '../../apps/coding-rules/rule';
import applyCodeDifferences from '../../helpers/code-difference';
import { translate, translateWithParameters } from '../../helpers/l10n';
-import { sanitizeString } from '../../helpers/sanitize';
import { isDefined } from '../../helpers/types';
import { Cve as CveDetailsType } from '../../types/cves';
import { CveDetails } from './CveDetails';
{isDefined(introductionSection) && (
<CodeSyntaxHighlighter
className="rule-desc"
- htmlAsString={sanitizeString(introductionSection)}
+ htmlAsString={introductionSection}
language={language}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
/>
)}
{defaultContext && (
<OtherContextOption />
) : (
<CodeSyntaxHighlighter
- htmlAsString={sanitizeString(selectedContext.content)}
+ htmlAsString={selectedContext.content}
language={language}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
/>
)}
{isDefined(introductionSection) && (
<CodeSyntaxHighlighter
className="rule-desc"
- htmlAsString={sanitizeString(introductionSection)}
+ htmlAsString={introductionSection}
language={language}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
/>
)}
<CodeSyntaxHighlighter
- htmlAsString={sanitizeString(sections[0].content)}
+ htmlAsString={sections[0].content}
language={language}
+ sanitizeLevel={SanitizeLevel.FORBID_SVG_MATHML}
/>
{cve && <CveDetails cve={cve} />}
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
import { render } from '@testing-library/react';
+import { SafeHTMLInjection } from 'design-system/lib';
import React from 'react';
import applyCodeDifferences from '../code-difference';
function renderDom(codeSnippet: string) {
return render(
- <div
- className="markdown"
- // eslint-disable-next-line react/no-danger
- dangerouslySetInnerHTML={{
- __html: codeSnippet,
- }}
- />,
+ <SafeHTMLInjection htmlAsString={codeSnippet}>
+ <div className="markdown" />
+ </SafeHTMLInjection>,
);
}
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-import { sanitizeString, sanitizeStringRestricted } from '../sanitize';
-
-describe('sanitizeStringRestricted', () => {
- it('should preserve only specific formatting tags', () => {
- expect(
- sanitizeStringRestricted(`
- Hi <a href="http://example.com" target="_blank">this</a> is <i>in italics</i> and <ul>
- <li> lists </li>
- <li> are allowed</li>
- </ul>
- <p>
- as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
- and <code>code.is.accepted too</code>
- </p>
- `),
- ).toBe(`
- Hi <a target="_blank" href="http://example.com">this</a> is <i>in italics</i> and <ul>
- <li> lists </li>
- <li> are allowed</li>
- </ul>
- <p>
- as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
- and <code>code.is.accepted too</code>
- </p>
- `);
- });
-
- /*
- * Test code borrowed from OWASP's sanitizer tests
- * https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/resources/org/owasp/html/htmllexerinput1.html
- */
- it('should strip everything else', () => {
- const clean = sanitizeStringRestricted(`<?xml version="not-even-close"?>
-
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
- <!-- a test input for HtmlLexer -->
-
- <html>
- <head>
- <title>Test File For HtmlLexer & HtmlParser</title>
- <link rel=stylesheet type="text/css" src=foo/bar.css />
- <body
- bgcolor=white
- linkcolor = "blue"
- onload="document.writeln(
- "<p>properly escaped code in a handler</p>");"
- >
-
- <script type="text/javascript"><!--
- document.writeln("<p>Some initialization code in global context</p>");
- --></script>
-
- <script type="text/javascript">
- // hi there
- document.writeln("<p>More initialization</p>");
- </script>
-
- <div id=clickydiv onclick="handleClicky(event)"
- ondblclick=this.onclick(event);return(false)>
- Clicky
- </div>
-
- <input id=foo>
- <gxp:attr name="onchange">alert("<b>hi</b>");</gxp:attr>
- </input>
-
- <pre><div id=notarealtag onclick=notcode()></pre>
-
- <!-- some tokenization corner cases -->
-
- < notatag <atag/>
-
- </ notatag> </redundantlyclosed/>
-
- <messyattributes a=b=c d="e"f=g h =i j= k l = m checked n="o"/>
-
- < < < all in one text block > > >
-
- <xmp>Make sure that <!-- comments don't obscure the xmp close</xmp>
- <% # some php code here
- write("<pre>$horriblySyntacticConstruct1</pre>\n\n");
- %>
- <script type="text/javascript"><!--
- alert("hello world");
- // --></script>
-
- <script>/* </script> */alert('hi');</script>
- <script><!--/* </script> */alert('hi');--></script>
-
- <xmp style=color:blue><!--/* </xmp> */alert('hi');--></xmp>
-
- <style><!-- p { contentf: '</style>' } --></style>
- <style>Foo<!-- > </style> --></style>
- <textarea><!-- Zoicks </textarea>--></textarea>
- <!-- An escaping text span start may share its U+002D HYPHEN-MINUS characters
- - with its corresponding escaping text span end. -->
- <script><!--></script>
- <script><!---></script>
- <script><!----></script>
- </body>
- </html>
- <![CDATA[ No such thing as a CDATA> section in HTML ]]>
- <script>a<b</script>
- <img src=foo.gif /><a href=><a href=/>
- <span title=malformed attribs' do=don't id=foo checked onclick="a<b">Bar</span>`);
-
- expect(clean.replace(/\s+/g, '')).toBe(
- `Clickyalert("<b>hi</b>");<divid=notarealtagonclick=notcode()><notatag<<<allinonetextblock>>><%#somephpcodeherewrite("$horriblySyntacticConstruct1");%>*/alert('hi');*/alert('hi');-->*/alert('hi');-->'}-->--><!--Zoicks-->sectioninHTML]]><ahref=""></a><ahref="/">Bar</a>`,
- );
- });
-});
-
-describe('sanitizeString', () => {
- it('should not allow MathML and SVG', () => {
- const tainted = `
- Hi <a href="javascript:alert('hello')" target="_blank">this</a> is <i>in italics</i> and <ul>
- <li> lists </li>
- <li> are allowed</li>
- </ul>
- <p class="some-class">
- as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
- and <code>code.is.accepted too</code>
- </p>
- <svg><text>SVG isn't allowed</text></svg>
- <math xmlns="http://www.w3.org/1998/Math/MathML">
- <infinity />
- </math>`;
- const clean = `
- Hi <a>this</a> is <i>in italics</i> and <ul>
- <li> lists </li>
- <li> are allowed</li>
- </ul>
- <p class="some-class">
- as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
- and <code>code.is.accepted too</code>
- </p>`;
-
- expect(sanitizeString(tainted).trimRight()).toBe(clean);
- });
-});
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+
+import { sanitizeHTMLNoSVGNoMathML } from 'design-system';
import { diffLines } from 'diff';
import { groupBy, keyBy } from 'lodash';
-import { sanitizeString } from './sanitize';
const NUMBER_OF_EXAMPLES = 2;
nonCompliantCode += `<div class='code-removed'>${value}</div>`;
}
});
- return [sanitizeString(nonCompliantCode), sanitizeString(compliantCode)];
+ return [sanitizeHTMLNoSVGNoMathML(nonCompliantCode), sanitizeHTMLNoSVGNoMathML(compliantCode)];
}
function replaceInDom(current: Element, code: string) {
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-import { sanitize } from 'dompurify';
-
-export function sanitizeStringRestricted(html: string) {
- return sanitize(html, {
- ALLOWED_TAGS: ['b', 'br', 'code', 'i', 'li', 'p', 'strong', 'ul', 'a'],
- ALLOWED_ATTR: ['target', 'href'],
- });
-}
-
-export function sanitizeString(html: string) {
- return sanitize(html, { USE_PROFILES: { html: true } });
-}
-
-export function sanitizeUserInput(html: string) {
- return sanitize(html, {
- ALLOWED_TAGS: [
- 'b',
- 'br',
- 'code',
- 'i',
- 'li',
- 'p',
- 'strong',
- 'ul',
- 'ol',
- 'a',
- 'h1',
- 'h2',
- 'h3',
- 'h4',
- 'h5',
- 'h6',
- 'blockquote',
- 'pre',
- ],
- ALLOWED_ATTR: ['target', 'href', 'rel'],
- });
-}
d3-shape: 3.2.0
d3-zoom: 3.0.0
date-fns: 4.1.0
+ dompurify: 3.1.7
lodash: 4.17.21
react: 18.3.1
react-day-picker: 8.10.0
projects / sonarqube.git / commitdiff