From 92d8ff989a695dc18172f6447cec0b5649f75aea Mon Sep 17 00:00:00 2001 From: Stivali Serna Date: Fri, 1 Dec 2023 12:09:03 +0100 Subject: [PATCH 1/3] feat(packages/sui-js): exclude script tags in html sanitization --- packages/sui-js/src/react/index.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/packages/sui-js/src/react/index.js b/packages/sui-js/src/react/index.js index 50a89b1f8..9ea0f75db 100644 --- a/packages/sui-js/src/react/index.js +++ b/packages/sui-js/src/react/index.js @@ -1,4 +1,12 @@ -export {default as htmlStringToReactElement} from 'htmr' +import htmr from 'htmr' + +export const htmlStringToReactElement = (string, options) => htmr(string, { + ...options, + transform: { + script: () => null, + ...options?.transform + } +}) const isReactRefObj = target => { if (target && typeof target === 'object') { From 92ef4e3ee4728750da030811610edd06f3a22c41 Mon Sep 17 00:00:00 2001 From: Tomas Madariaga Date: Fri, 1 Dec 2023 13:00:31 +0100 Subject: [PATCH 2/3] refactor(packages/sui-js): lint --- packages/sui-js/src/react/index.js | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/sui-js/src/react/index.js b/packages/sui-js/src/react/index.js index 9ea0f75db..32c070149 100644 --- a/packages/sui-js/src/react/index.js +++ b/packages/sui-js/src/react/index.js @@ -1,12 +1,13 @@ import htmr from 'htmr' -export const htmlStringToReactElement = (string, options) => htmr(string, { - ...options, - transform: { - script: () => null, - ...options?.transform - } -}) +export const htmlStringToReactElement = (string, options) => + htmr(string, { + ...options, + transform: { + script: () => null, + ...options?.transform + } + }) const isReactRefObj = target => { if (target && typeof target === 'object') { From b2fd0139e3549eb2d06e95c53347d5242375fe49 Mon Sep 17 00:00:00 2001 From: Stivali Serna Date: Fri, 1 Dec 2023 13:39:29 +0100 Subject: [PATCH 3/3] feat(packages/sui-js): exclude all dangerous html elements --- packages/sui-js/src/react/index.js | 35 +++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/packages/sui-js/src/react/index.js b/packages/sui-js/src/react/index.js index 32c070149..d0d3d4072 100644 --- a/packages/sui-js/src/react/index.js +++ b/packages/sui-js/src/react/index.js @@ -1,10 +1,43 @@ import htmr from 'htmr' +// This is a list of all the elements that should not be allowed to be rendered as they pose a security risk. +// See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element +// If you want to allow one of these elements, you can add it to the `transform` object in the `options`. +export const DANGEROUS_TRANSFORMS = { + area: () => null, + audio: () => null, + base: () => null, + canvas: () => null, + embed: () => null, + form: () => null, + frame: () => null, + frameset: () => null, + head: () => null, + html: () => null, + iframe: () => null, + img: () => null, + link: () => null, + map: () => null, + meta: () => null, + noscript: () => null, + object: () => null, + picture: () => null, + portal: () => null, + script: () => null, + slot: () => null, + source: () => null, + style: () => null, + template: () => null, + title: () => null, + track: () => null, + video: () => null +} + export const htmlStringToReactElement = (string, options) => htmr(string, { ...options, transform: { - script: () => null, + ...DANGEROUS_TRANSFORMS, ...options?.transform } })