-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Improves SafeMarkdown HTML sanitization #21895
Changes from all commits
43db279
20fc043
7d8f377
dbba9ef
732d669
582f34e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,38 +16,44 @@ | |
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
import React from 'react'; | ||
import ReactMarkdown, { MarkdownAbstractSyntaxTree } from 'react-markdown'; | ||
// @ts-ignore no types available | ||
import htmlParser from 'react-markdown/plugins/html-parser'; | ||
|
||
import React, { useMemo } from 'react'; | ||
import ReactMarkdown from 'react-markdown'; | ||
import rehypeSanitize, { defaultSchema } from 'rehype-sanitize'; | ||
import rehypeRaw from 'rehype-raw'; | ||
import { merge } from 'lodash'; | ||
import { FeatureFlag, isFeatureEnabled } from '../utils'; | ||
|
||
interface SafeMarkdownProps { | ||
source: string; | ||
htmlSanitization?: boolean; | ||
htmlSchemaOverrides?: typeof defaultSchema; | ||
} | ||
|
||
function isSafeMarkup(node: MarkdownAbstractSyntaxTree) { | ||
return node.type === 'html' && node.value | ||
? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value) | ||
: true; | ||
} | ||
function SafeMarkdown({ | ||
source, | ||
htmlSanitization = true, | ||
htmlSchemaOverrides = {}, | ||
}: SafeMarkdownProps) { | ||
const displayHtml = isFeatureEnabled(FeatureFlag.DISPLAY_MARKDOWN_HTML); | ||
const escapeHtml = isFeatureEnabled(FeatureFlag.ESCAPE_MARKDOWN_HTML); | ||
|
||
const rehypePlugins = useMemo(() => { | ||
const rehypePlugins: any = []; | ||
if (displayHtml && !escapeHtml) { | ||
rehypePlugins.push(rehypeRaw); | ||
if (htmlSanitization) { | ||
const schema = merge(defaultSchema, htmlSchemaOverrides); | ||
rehypePlugins.push([rehypeSanitize, schema]); | ||
} | ||
} | ||
return rehypePlugins; | ||
}, [displayHtml, escapeHtml, htmlSanitization, htmlSchemaOverrides]); | ||
Comment on lines
+37
to
+50
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Kind of unrelated comment, but just thinking out loud: as the feature flags here are constant (they're populated from bootstrap data at load time), const displayHtml = useFeatureFlag(FeatureFlag.DISPLAY_MARKDOWN_HTML); which could change dynamically, in which case they would also be more relevant in the dep array. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed. I was thinking the same thing here 😄 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @villebro @michael-s-molina, I thought the dynamic feature flag might not be a good approach. The reason is that
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think all of these problems can be addressed in a future configuration module. We can choose what properties we expose to the module and also add the necessary logic to change backend flags. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good point, I think we should create a new concept to handle user settings. |
||
|
||
function SafeMarkdown({ source }: SafeMarkdownProps) { | ||
// React Markdown escapes HTML by default | ||
return ( | ||
<ReactMarkdown | ||
source={source} | ||
escapeHtml={isFeatureEnabled(FeatureFlag.ESCAPE_MARKDOWN_HTML)} | ||
skipHtml={!isFeatureEnabled(FeatureFlag.DISPLAY_MARKDOWN_HTML)} | ||
allowNode={isSafeMarkup} | ||
astPlugins={[ | ||
htmlParser({ | ||
isValidNode: (node: MarkdownAbstractSyntaxTree) => | ||
node.type !== 'script', | ||
}), | ||
]} | ||
/> | ||
<ReactMarkdown rehypePlugins={rehypePlugins} skipHtml={!displayHtml}> | ||
{source} | ||
</ReactMarkdown> | ||
); | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd be nice to have RTL tests that test something along the following lines:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll work on this in a follow-up 👍🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@villebro
superset-ui/core
only guarantee 100% coverage on thejs/ts
file.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right! Thanks for following up @zhaoyongjie ! 👍