Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
To silence recurring errors for sanitize-html, how about we switch to dompurify instead?
QUESTIONS
The tests for this kept failing for something I'm not sure is the best expectation:
While escaping
"
characters, for some reason the text wants (straight double) quotes to be converted to"
, (okay, fine, not unexpected) but then the regex removes the&
and;
so quotes get turned intoquot
rather than a legit escaped value. Seems like they should be stripped out or turned into"
,"
,0x22
,%22
…—is there a reason we're going through the trouble of escaping it only to rip it to pieces, too?I've added a patch for this to pass tests and behave as currently expected but I don't like it.
Are there other characters where this is or should be happening but which aren't in tests?
If we change this, how will it affect site search and filters? I can see removing straight quotes from filters but they help with grouping terms for site search. There are special characters in organizations' names, too: lots of companies with
&
in their name.Impacted areas of the application
Anything that uses helpers.sanitizeValue(), which is every typeahead and some tests. Typeaheads including filters, site search, candidate lookups in widgets… but if it's fixed in search + filters, it's likely good everywhere.
I changed the
_.isArray()
calls to the modernArray.isArray()
since it was so easy to take another step from UnderscoreScreenshots
No visual changes
Related PRs
None
How to test
npm i
npm run test-single
(it also does its own build)Because we've removed sanitize-html, that vulnerability warning should vanish