-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix
<RichTextField>
XSS vulnerability
- Loading branch information
1 parent
450635d
commit e5bfbe2
Showing
6 changed files
with
136 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
packages/ra-ui-materialui/src/field/RichTextField.stories.tsx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
import * as React from 'react'; | ||
import { RecordContextProvider, useTimeout } from 'ra-core'; | ||
import dompurify from 'dompurify'; | ||
|
||
import { RichTextField } from './RichTextField'; | ||
import { SimpleShowLayout } from '../detail/SimpleShowLayout'; | ||
|
||
export default { | ||
title: 'ra-ui-materialui/fields/RichTextField', | ||
}; | ||
|
||
const record = { | ||
id: 1, | ||
body: ` | ||
<p> | ||
<strong>War and Peace</strong> is a novel by the Russian author <a href="https://en.wikipedia.org/wiki/Leo_Tolstoy">Leo Tolstoy</a>, | ||
published serially, then in its entirety in 1869. | ||
</p> | ||
<p> | ||
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature. | ||
</p> | ||
<img src="https://upload.wikimedia.org/wikipedia/commons/a/af/Tolstoy_-_War_and_Peace_-_first_edition%2C_1869.jpg" /> | ||
`, | ||
}; | ||
|
||
export const Basic = () => ( | ||
<RecordContextProvider value={record}> | ||
<RichTextField source="body" /> | ||
</RecordContextProvider> | ||
); | ||
|
||
export const StripTags = () => ( | ||
<RecordContextProvider value={record}> | ||
<RichTextField source="body" stripTags /> | ||
</RecordContextProvider> | ||
); | ||
|
||
export const InSimpleShowLayout = () => ( | ||
<RecordContextProvider value={record}> | ||
<SimpleShowLayout> | ||
<RichTextField source="body" /> | ||
</SimpleShowLayout> | ||
</RecordContextProvider> | ||
); | ||
|
||
const DomPurifyInspector = () => { | ||
useTimeout(100); // force a redraw after the lazy loading of dompurify | ||
const dompurifyRemoved = dompurify.removed | ||
.map( | ||
removal => | ||
`removed attribute ${ | ||
removal.attribute.name | ||
} from tag <${removal.from.tagName.toLowerCase()}>` | ||
) | ||
.join(', '); | ||
return <em>{dompurifyRemoved}</em>; | ||
}; | ||
|
||
export const Secure = () => ( | ||
<RecordContextProvider | ||
value={{ | ||
id: 1, | ||
body: ` | ||
<p> | ||
<strong>War and Peace</strong> is a novel by the Russian author | ||
<a href="https://en.wikipedia.org/wiki/Leo_Tolstoy" onclick="document.getElementById('stolendata').value='credentials';">Leo Tolstoy</a>, | ||
published serially, then in its entirety in 1869. | ||
</p> | ||
<p onmouseover="document.getElementById('stolendata').value='credentials';"> | ||
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature. | ||
</p> | ||
<img src="x" onerror="document.getElementById('stolendata').value='credentials';" /> | ||
`, | ||
}} | ||
> | ||
<RichTextField source="body" /> | ||
<hr /> | ||
<DomPurifyInspector /> | ||
<div> | ||
<h4>Stolen data:</h4> | ||
<input id="stolendata" defaultValue="none" /> | ||
</div> | ||
</RecordContextProvider> | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters