diff options
| author | Wouter Admiraal <wouter.admiraal@sonarsource.com> | 2020-06-16 14:11:39 +0200 |
|---|---|---|
| committer | sonartech <sonartech@sonarsource.com> | 2020-06-30 20:05:42 +0000 |
| commit | 5e93a5a3e81c5285e354d4632024c31581bd7ae5 (patch) | |
| tree | ae6712c5484dec61a11f0cbc0e103428aafc9a6c /server | |
| parent | 763495b61a29ff949730bc9322dd1b4e70241476 (diff) | |
| download | sonarqube-5e93a5a3e81c5285e354d4632024c31581bd7ae5.tar.gz sonarqube-5e93a5a3e81c5285e354d4632024c31581bd7ae5.zip | |
SONAR-13324 SONAR-13354 Fix SSF-108 and SSF-111
Diffstat (limited to 'server')
4 files changed, 15 insertions, 10 deletions
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx index 372d15174f4..32c9d1c9c2a 100644 --- a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx +++ b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx @@ -18,6 +18,7 @@ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ import * as classNames from 'classnames'; +import { sanitize } from 'dompurify'; import * as React from 'react'; import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons'; import Modal from 'sonar-ui-common/components/controls/Modal'; @@ -225,8 +226,8 @@ export default class ActivationFormModal extends React.PureComponent<Props, Stat )} <div className="note" - // Safe: defined by rule creator (instance admin?) - dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }} + // eslint-disable-next-line react/no-danger + dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }} /> </div> )) diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx index bf85766a4c7..40d85d3e191 100644 --- a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx +++ b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx @@ -17,6 +17,7 @@ * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +import { sanitize } from 'dompurify'; import * as React from 'react'; import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons'; import Modal from 'sonar-ui-common/components/controls/Modal'; @@ -304,8 +305,8 @@ export default class CustomRuleFormModal extends React.PureComponent<Props, Stat )} <div className="modal-field-description" - // Safe: defined by rule creator (instance admin?) - dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }} + // eslint-disable-next-line react/no-danger + dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }} /> </div> ); diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx index bda70cc34c9..0ff0289db2b 100644 --- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx +++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx @@ -17,6 +17,7 @@ * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +import { sanitize } from 'dompurify'; import * as React from 'react'; import { Button, ResetButtonLink } from 'sonar-ui-common/components/controls/buttons'; import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n'; @@ -112,8 +113,8 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S {this.props.ruleDetails.htmlNote !== undefined && ( <div className="rule-desc spacer-bottom markdown" - // Safe: defined by rule creator (instance admin?) - dangerouslySetInnerHTML={{ __html: this.props.ruleDetails.htmlNote }} + // eslint-disable-next-line react/no-danger + dangerouslySetInnerHTML={{ __html: sanitize(this.props.ruleDetails.htmlNote) }} /> )} {this.props.canWrite && ( @@ -194,8 +195,8 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S {hasDescription ? ( <div className="coding-rules-detail-description rule-desc markdown" - // Safe: defined by rule creator (instance admin?) - dangerouslySetInnerHTML={{ __html: ruleDetails.htmlDesc || '' }} + // eslint-disable-next-line react/no-danger + dangerouslySetInnerHTML={{ __html: sanitize(ruleDetails.htmlDesc || '') }} /> ) : ( <div className="coding-rules-detail-description rule-desc markdown"> diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx index fe95a837903..a62c60867ae 100644 --- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx +++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx @@ -17,6 +17,7 @@ * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ +import { sanitize } from 'dompurify'; import * as React from 'react'; import { translate } from 'sonar-ui-common/helpers/l10n'; @@ -29,8 +30,9 @@ export default class RuleDetailsParameters extends React.PureComponent<Props> { <tr className="coding-rules-detail-parameter" key={param.key}> <td className="coding-rules-detail-parameter-name">{param.key}</td> <td className="coding-rules-detail-parameter-description"> - <p // Safe: defined by rule creator (instance admin?) - dangerouslySetInnerHTML={{ __html: param.htmlDesc || '' }} + <p + // eslint-disable-next-line react/no-danger + dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }} /> {param.defaultValue !== undefined && ( <div className="note spacer-top"> |