Skip to content

Commit

Permalink
[Table Visualization][BUG] Fix Url content display (#2918)
Browse files Browse the repository at this point in the history
Currently, the new table can not format Url. If we
set to use URL format in index pattern field, table
will display it as string.

In this PR, we switch the format from string to html.
To make html understandable by react as a DOM element,
we use dangerouslySetInnerHTML to transform it. For the
security, since the content is not from random input but
fetched from stored data, we should be safe as long as
data is not messed.

To provide more security protection, we also add dompurify
package to sanitize the html content.

Issue Resolved:
#2905

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
  • Loading branch information
ananzh authored Dec 15, 2022
1 parent bb94a9d commit b16ee64
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 4 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- [Build] Fixed "Last Access Time" not being set by `scanCopy` on Windows ([#2964](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2964))
- [Vis Builder] Add global data persistence for vis builder #2896 ([#2896](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2896))
- Update `leaflet-vega` and fix its usage ([#3005](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3005))

- [Table Visualization][BUG] Fix Url content display issue in table ([#2918](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2918))

### 🚞 Infrastructure

Expand Down
2 changes: 2 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@
"@types/dedent": "^0.7.0",
"@types/deep-freeze-strict": "^1.1.0",
"@types/delete-empty": "^2.0.0",
"@types/dompurify": "^2.3.3",
"@types/elasticsearch": "^5.0.33",
"@types/enzyme": "^3.10.7",
"@types/eslint": "^6.1.3",
Expand Down Expand Up @@ -354,6 +355,7 @@
"d3-cloud": "1.2.5",
"dedent": "^0.7.0",
"delete-empty": "^2.0.0",
"dompurify": "^2.4.1",
"enzyme": "^3.11.0",
"enzyme-adapter-react-16": "^1.15.5",
"enzyme-to-json": "^3.5.0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

import React, { useCallback, useMemo } from 'react';
import { orderBy } from 'lodash';
import dompurify from 'dompurify';
import { EuiDataGridProps, EuiDataGrid, EuiDataGridSorting, EuiTitle } from '@elastic/eui';

import { IInterpreterRenderHandlers } from 'src/plugins/expressions';
Expand Down Expand Up @@ -50,9 +51,18 @@ export const TableVisComponent = ({
const rawContent = sortedRows[rowIndex][columnId];
const colIndex = columns.findIndex((col) => col.id === columnId);
const column = columns[colIndex];
// use formatter to format raw content
// this can format date and percentage data
const formattedContent = column.formatter.convert(rawContent, 'text');
const htmlContent = column.formatter.convert(rawContent, 'html');
const formattedContent = (
/*
* Justification for dangerouslySetInnerHTML:
* This is one of the visualizations which makes use of the HTML field formatters.
* Since these formatters produce raw HTML, this visualization needs to be able to render them as-is, relying
* on the field formatter to only produce safe HTML.
* `htmlContent` is created by converting raw data via HTML field formatter, so we need to make sure this value never contains
* any unsafe HTML (e.g. by bypassing the field formatter).
*/
<div dangerouslySetInnerHTML={{ __html: dompurify.sanitize(htmlContent) }} /> // eslint-disable-line react/no-danger
);
return sortedRows.hasOwnProperty(rowIndex) ? formattedContent || null : null;
}) as EuiDataGridProps['renderCellValue'];
}, [sortedRows, columns]);
Expand Down
17 changes: 17 additions & 0 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -3004,6 +3004,13 @@
resolved "https://registry.yarnpkg.com/@types/delete-empty/-/delete-empty-2.0.0.tgz#1647ae9e68f708a6ba778531af667ec55bc61964"
integrity sha512-sq+kwx8zA9BSugT9N+Jr8/uWjbHMZ+N/meJEzRyT3gmLq/WMtx/iSIpvdpmBUi/cvXl6Kzpvve8G2ESkabFwmg==

"@types/dompurify@^2.3.3":
version "2.4.0"
resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-2.4.0.tgz#fd9706392a88e0e0e6d367f3588482d817df0ab9"
integrity sha512-IDBwO5IZhrKvHFUl+clZxgf3hn2b/lU6H1KaBShPkQyGJUQ0xwebezIPSuiyGwfz1UzJWQl4M7BDxtHtCCPlTg==
dependencies:
"@types/trusted-types" "*"

"@types/duplexify@^3.6.0":
version "3.6.1"
resolved "https://registry.yarnpkg.com/@types/duplexify/-/duplexify-3.6.1.tgz#5685721cf7dc4a21b6f0e8a8efbec6b4d2fbafad"
Expand Down Expand Up @@ -3800,6 +3807,11 @@
resolved "https://registry.yarnpkg.com/@types/tough-cookie/-/tough-cookie-4.0.1.tgz#8f80dd965ad81f3e1bc26d6f5c727e132721ff40"
integrity sha512-Y0K95ThC3esLEYD6ZuqNek29lNX2EM1qxV8y2FTLUB0ff5wWrk7az+mLrnNFUnaXcgKye22+sFBRXOgpPILZNg==

"@types/trusted-types@*":
version "2.0.2"
resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.2.tgz#fc25ad9943bcac11cceb8168db4f275e0e72e756"
integrity sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg==

"@types/type-detect@^4.0.1":
version "4.0.1"
resolved "https://registry.yarnpkg.com/@types/type-detect/-/type-detect-4.0.1.tgz#3b0f5ac82ea630090cbf57c57a1bf5a63a29b9b6"
Expand Down Expand Up @@ -7338,6 +7350,11 @@ domhandler@^4.0, domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.2.2, domhan
dependencies:
domelementtype "^2.2.0"

dompurify@^2.4.1:
version "2.4.1"
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.1.tgz#f9cb1a275fde9af6f2d0a2644ef648dd6847b631"
integrity sha512-ewwFzHzrrneRjxzmK6oVz/rZn9VWspGFRDb4/rRtIsM1n36t9AKma/ye8syCpcw+XJ25kOK/hOG7t1j2I2yBqA==

domutils@1.5.1:
version "1.5.1"
resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf"
Expand Down

0 comments on commit b16ee64

Please sign in to comment.