Page MenuHomeSoftware Heritage
Differential D1412

assets/readme-rendering: Use dompurify as XSS filter
ClosedPublic
Actions

Authored by anlambert on Apr 12 2019, 2:52 PM.

Details

Reviewers
ardumont
Group Reviewers
Reviewers
Commits
rDWAPPS6cbad0ef83c3: assets/readme-rendering: Use dompurify as XSS filter instead of xss
Summary

XSS filtering has recently been added to swh-web (D1322) for the rendering
of README files in markdown format.

But as @kalpitk noticed it, the rendering of images located in an origin source tree
is now broken.

So instead of using [[ https://github.com/VisionistInc/showdown-xss-filter | showdown-xss-filter ]] package, prefer to use the [[ https://github.com/cure53/DOMPurify | dompurify ]]
one which seems to have a good default white list for XSS filtering.

Related T1642

Diff Detail

Repository
rDWAPPS Web applications
Branch
better-xss-filtering
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 5433
Build 7361: tox-on-jenkinsJenkins
Build 7360: arc lint + arc unit

Event Timeline

anlambert created this revision.Apr 12 2019, 2:52 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptApr 12 2019, 2:52 PM
anlambert mentioned this in T1642: Images with src within repo dont render in Readme.Apr 12 2019, 2:53 PM
swh-public-ci added a comment.Apr 12 2019, 2:55 PM

Build is green
See https://jenkins.softwareheritage.org/job/DWAPPS/job/tox/383/ for more details.

Harbormaster completed remote builds in B5400: Diff 4549.Apr 12 2019, 2:55 PM
anlambert updated this revision to Diff 4550.Apr 12 2019, 3:06 PM

Update: Simplify code and add XSS filtering for all supported README types

anlambert edited the summary of this revision. (Show Details)Apr 12 2019, 3:07 PM
swh-public-ci added a comment.Apr 12 2019, 3:10 PM

Build is green
See https://jenkins.softwareheritage.org/job/DWAPPS/job/tox/386/ for more details.

Harbormaster completed remote builds in B5401: Diff 4550.Apr 12 2019, 3:10 PM
ardumont accepted this revision.Apr 13 2019, 11:01 AM
This revision is now accepted and ready to land.Apr 13 2019, 11:01 AM
anlambert updated this revision to Diff 4571.Apr 15 2019, 10:41 AM

Rebase

swh-public-ci added a comment.Apr 15 2019, 10:44 AM

Build is green
See https://jenkins.softwareheritage.org/job/DWAPPS/job/tox/388/ for more details.

Harbormaster completed remote builds in B5433: Diff 4571.Apr 15 2019, 10:45 AM
Closed by commit rDWAPPS6cbad0ef83c3: assets/readme-rendering: Use dompurify as XSS filter instead of xss (authored by anlambert). · Explain WhyApr 15 2019, 10:45 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
2 lines
swh/
web/
assets/
src/
bundles/
webapp/
24 lines
templates/
includes/
2 lines
27 lines

Diff 4571

View Options

package.json

Loading...
View Options

swh/web/assets/src/bundles/webapp/readme-rendering.js

Loading...
View Options

swh/web/templates/includes/readme-display.html

Loading...
View Options

yarn.lock

Loading...
About · Developer information · Legal