Skip to content

feat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 #2134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 22 commits into from
Nov 4, 2018

Conversation

tmorehouse
Copy link
Member

Description of PR:

Utility for removing script tags from injected HTML (i.e. for use with v-html or domProps.innerHTML)

Prevents possible user supplied input form injecting scripts into the DOM

Fixes #1974
Fixes #1665


PR checklist:

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Enhancement to an existing feature
  • ARIA accessibility
  • Documentation update
  • Other, please describe:

Does this PR introduce a breaking change? (check one)

  • Yes
  • No

If yes, please describe the impact:

Scripts will no longer be injected into the DOM (i.e. from user supplied data or component props that support HTML)

The PR fulfills these requirements:

  • It's submitted to the dev branch, not the master branch
  • When resolving a specific issue, it's referenced in the PR's title (e.g. fixes #xxxx[,#xxxx], where "xxxx" is the issue number)

If new features/enhancement/fixes are added or changed:

  • Includes documentation updates
  • New/updated tests are included and passing (if required)
  • Existing test suites are passing
  • The changes have not impacted the functionality of other components or directives
  • ARIA Accessibility has been taken into consideration (does it affect screen reader users or keyboard only users?)

If adding a new feature, or changing the functionality of an existing feature, the PR's description includes:

  • A convincing reason for adding this feature (to avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it)

PR titles should following the Conventional Commits naming convention

@tmorehouse tmorehouse changed the title eat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 feat(security): Strip HTML script tags before inserting content into DOM. Fixes #1974,#1665 Nov 4, 2018
@codecov
Copy link

codecov bot commented Nov 4, 2018

Codecov Report

Merging #2134 into dev will not change coverage.
The diff coverage is 77.77%.

Impacted file tree graph

@@           Coverage Diff           @@
##              dev    #2134   +/-   ##
=======================================
  Coverage   64.97%   64.97%           
=======================================
  Files         158      159    +1     
  Lines        2958     2958           
  Branches      811      811           
=======================================
  Hits         1922     1922           
  Misses        749      749           
  Partials      287      287
Impacted Files Coverage Δ
src/components/input-group/input-group.js 100% <ø> (ø) ⬆️
src/components/modal/modal.js 64.41% <ø> (ø) ⬆️
src/components/button-group/button-group.js 100% <ø> (ø) ⬆️
src/components/dropdown/dropdown.js 100% <ø> (ø) ⬆️
src/components/jumbotron/jumbotron.js 100% <ø> (ø) ⬆️
src/mixins/form-options.js 61.11% <ø> (ø) ⬆️
src/components/card/card-body.js 100% <ø> (ø) ⬆️
src/components/nav/nav-item-dropdown.js 85.71% <ø> (ø) ⬆️
src/components/progress/progress-bar.js 90.47% <0%> (ø) ⬆️
src/mixins/pagination.js 58.87% <100%> (ø) ⬆️
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update afe1cd0...2570601. Read the comment docs.

@tmorehouse tmorehouse mentioned this pull request Nov 14, 2018
89 tasks
pi0 pushed a commit that referenced this pull request Jan 20, 2019
…DOM. Fixes #1974,#1665 (#2134)

* fixed a typo (#1931)

* Create utils/strip-sripts.js

Utility for removing script tags from injected HTML (i.e. for use with v-html or domProps.innerHTML)

Prevents user supplied input form injecting scripts into the DOM

* mixins/form-options.js use new striptScripts util

* Update button-group.js

Remove validator of size prop... to allow for custom CSS defined sizes

* Update card-body.js

* Update dropdown.js

* Update form-group.js

* Update input-group.js

* Update jumbotron.js

* Update modal.js

* Update nav-item-dropdown.js

* Update progress-bar.js

* Update table.js

* pagination mixin: add stripScripts and remove temporary button styling

* Minor update to table readme
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Script tag is not escaped when using :option="" in form-select Injection in b-form-group valid/invalid feedback properties
2 participants