Commit 9dcf3f0b authored by Justin Ho's avatar Justin Ho Committed by Dheeraj Joshi

Remove DOMPurify attribute sanitization

Due to a bug in DOMPurify, we had to implement
potentially dangerous data-* attribute sanitization using
hooks. These checks can be removed now as they are
no longer needed.

This will allow v-safe-html to configure if it should allow
these attributes for inputs that are safe.

This reverts changes introduced in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65301

Changelog: changed
parent 5765de30
import { sanitize as dompurifySanitize, addHook } from 'dompurify'; import { sanitize as dompurifySanitize, addHook } from 'dompurify';
import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility'; import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility';
// Safely allow SVG <use> tags
const defaultConfig = { const defaultConfig = {
// Safely allow SVG <use> tags
ADD_TAGS: ['use'], ADD_TAGS: ['use'],
// Prevent possible XSS attacks with data-* attributes used by @rails/ujs
// See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
}; };
const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
// Only icons urls from `gon` are allowed // Only icons urls from `gon` are allowed
const getAllowedIconUrls = (gon = window.gon) => const getAllowedIconUrls = (gon = window.gon) =>
[gon.sprite_file_icons, gon.sprite_icons].filter(Boolean); [gon.sprite_file_icons, gon.sprite_icons].filter(Boolean);
...@@ -46,19 +46,10 @@ const sanitizeSvgIcon = (node) => { ...@@ -46,19 +46,10 @@ const sanitizeSvgIcon = (node) => {
removeUnsafeHref(node, 'xlink:href'); removeUnsafeHref(node, 'xlink:href');
}; };
const sanitizeHTMLAttributes = (node) => {
forbiddenDataAttrs.forEach((attr) => {
if (node.hasAttribute(attr)) {
node.removeAttribute(attr);
}
});
};
addHook('afterSanitizeAttributes', (node) => { addHook('afterSanitizeAttributes', (node) => {
if (node.tagName.toLowerCase() === 'use') { if (node.tagName.toLowerCase() === 'use') {
sanitizeSvgIcon(node); sanitizeSvgIcon(node);
} }
sanitizeHTMLAttributes(node);
}); });
export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config); export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment