Skip to content

fix: remove setting unsafe innerHTML #2064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2023
Merged

fix: remove setting unsafe innerHTML #2064

merged 1 commit into from
May 16, 2023
+102 −2

Conversation

kittaakos
Copy link
Contributor

@kittaakos kittaakos commented May 11, 2023
edited
Loading

Motivation

Setting the innerHTML in an unsafe way has been removed, as it is vulnerable to stored Cross-Site Scripting.

Change description

I have replaced the innerHTML with a series of <span> elements optionally containing a <b> child. Neither functional nor style changes are expected in IDE2.

2.1.0 look and feel vs. the build from this PR:

Screen Shot 2023-05-11 at 14 51 45

2.1.0 DOM:

Screen Shot 2023-05-11 at 14 52 36

DOM from this PR:

Screen Shot 2023-05-11 at 14 53 41

Steps to verify:

  • If you have the ArduinoIoTCloud library installed, uninstall it,
  • Install the ArduinoIoTCloud library,
  • IDE2 opens the confirmation dialog,
  • Check the UI and compare it with the 2.1.0 release. They should be the same.

Other information

Ref: PNX-3669

Reviewer checklist

  • PR addresses a single concern.
  • The PR has no duplicates (please search among the Pull Requests before creating one)
  • PR title and description are properly filled.
  • Docs have been added / updated (for bug fixes / features)

fix: remove setting unsafe innerHTML
9f4d9e9 
As it is vulnerable to stored Cross-Site Scripting.

Ref: PNX-3669
Signed-off-by: Akos Kitta <[email protected]>
@kittaakos kittaakos added topic: code Related to content of the project itself topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project labels May 11, 2023
@kittaakos kittaakos requested review from rhpco, AlbyIanna and per1234 May 11, 2023 13:00
@kittaakos kittaakos self-assigned this May 11, 2023
rhpco
rhpco approved these changes May 11, 2023
View reviewed changes
arduino-ide-extension/src/browser/library/library-list-widget.ts
@@ -95,6 +95,22 @@ export class LibraryListWidget extends ListWidget<
item.name,
version
);
const segments = splitByBoldTag(textContent);
if (!segments) {
message.textContent = textContent;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great!

@kittaakos kittaakos merged commit e47fb2e into main May 16, 2023
@kittaakos kittaakos deleted the PNX-3669 branch May 16, 2023 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@per1234 per1234 per1234 approved these changes

@AlbyIanna AlbyIanna Awaiting requested review from AlbyIanna

+1 more reviewer

@rhpco rhpco rhpco approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@kittaakos kittaakos

Labels
topic: code Related to content of the project itself topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kittaakos @rhpco @per1234