From 5e93a5a3e81c5285e354d4632024c31581bd7ae5 Mon Sep 17 00:00:00 2001
From: Wouter Admiraal <wouter.admiraal@sonarsource.com>
Date: Tue, 16 Jun 2020 14:11:39 +0200
Subject: [PATCH] SONAR-13324 SONAR-13354 Fix SSF-108 and SSF-111

---
 .../apps/coding-rules/components/ActivationFormModal.tsx | 5 +++--
 .../apps/coding-rules/components/CustomRuleFormModal.tsx | 5 +++--
 .../coding-rules/components/RuleDetailsDescription.tsx   | 9 +++++----
 .../coding-rules/components/RuleDetailsParameters.tsx    | 6 ++++--
 4 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
index 372d15174f4..32c9d1c9c2a 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
@@ -18,6 +18,7 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 import * as classNames from 'classnames';
+import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons';
 import Modal from 'sonar-ui-common/components/controls/Modal';
@@ -225,8 +226,8 @@ export default class ActivationFormModal extends React.PureComponent<Props, Stat
                   )}
                   <div
                     className="note"
-                    // Safe: defined by rule creator (instance admin?)
-                    dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }}
+                    // eslint-disable-next-line react/no-danger
+                    dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
                   />
                 </div>
               ))
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
index bf85766a4c7..40d85d3e191 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
@@ -17,6 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons';
 import Modal from 'sonar-ui-common/components/controls/Modal';
@@ -304,8 +305,8 @@ export default class CustomRuleFormModal extends React.PureComponent<Props, Stat
       )}
       <div
         className="modal-field-description"
-        // Safe: defined by rule creator (instance admin?)
-        dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }}
+        // eslint-disable-next-line react/no-danger
+        dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
       />
     </div>
   );
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
index bda70cc34c9..0ff0289db2b 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
@@ -17,6 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { Button, ResetButtonLink } from 'sonar-ui-common/components/controls/buttons';
 import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n';
@@ -112,8 +113,8 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S
       {this.props.ruleDetails.htmlNote !== undefined && (
         <div
           className="rule-desc spacer-bottom markdown"
-          // Safe: defined by rule creator (instance admin?)
-          dangerouslySetInnerHTML={{ __html: this.props.ruleDetails.htmlNote }}
+          // eslint-disable-next-line react/no-danger
+          dangerouslySetInnerHTML={{ __html: sanitize(this.props.ruleDetails.htmlNote) }}
         />
       )}
       {this.props.canWrite && (
@@ -194,8 +195,8 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S
         {hasDescription ? (
           <div
             className="coding-rules-detail-description rule-desc markdown"
-            // Safe: defined by rule creator (instance admin?)
-            dangerouslySetInnerHTML={{ __html: ruleDetails.htmlDesc || '' }}
+            // eslint-disable-next-line react/no-danger
+            dangerouslySetInnerHTML={{ __html: sanitize(ruleDetails.htmlDesc || '') }}
           />
         ) : (
           <div className="coding-rules-detail-description rule-desc markdown">
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
index fe95a837903..a62c60867ae 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
@@ -17,6 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { translate } from 'sonar-ui-common/helpers/l10n';
 
@@ -29,8 +30,9 @@ export default class RuleDetailsParameters extends React.PureComponent<Props> {
     <tr className="coding-rules-detail-parameter" key={param.key}>
       <td className="coding-rules-detail-parameter-name">{param.key}</td>
       <td className="coding-rules-detail-parameter-description">
-        <p // Safe: defined by rule creator (instance admin?)
-          dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }}
+        <p
+          // eslint-disable-next-line react/no-danger
+          dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
         />
         {param.defaultValue !== undefined && (
           <div className="note spacer-top">
-- 
2.39.5