Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CRS-276] Sanitize URL image sources in Image component #543

Merged
merged 1 commit into from
Sep 25, 2020
Merged

[CRS-276] Sanitize URL image sources in Image component #543

merged 1 commit into from
Sep 25, 2020

Conversation

vini-btc
Copy link
Contributor

@vini-btc vini-btc commented Sep 25, 2020
edited
Loading

Some outdated browsers could still allow javascript execution from img
elements, which could lead to XSS. Although such browsers would fall
outside the scope of our supported browsers, fixing the vulnerability is
a simple, so we're opting for doing it here.

It is important to note that the javascript check will be obsolete in
the next major react version, where it will no longer render uris with
javascript as a protocol.

@vini-btc
Sanitize URL image sources in Image component
df5a8aa 
Some outdated browsers could potentially still allow javascript execution from img
elements, which could lead to XSS. Although such browsers would fall
outside the scope of our supported browsers, fixing the vulnerability is
a simple, so we're opting for doing it here.

It is important to note that the javascript check will be obsolete in
the next major react version, where it will no longer render uris with
javascript as a protocol.
@vini-btc vini-btc force-pushed the fix/CRS-276-improve-attachment-sanitization branch from 00042a2 to df5a8aa Compare September 25, 2020 12:06
@vini-btc vini-btc changed the title Sanitize URL image sources in Image component [CRS-276] Sanitize URL image sources in Image component Sep 25, 2020
@github-actions
Copy link

github-actions bot commented Sep 25, 2020
edited
Loading

Size Change: +40 B (0%)

Total Size: 1.25 MB

Filename Size Change
./dist/browser.full-bundle.js 637 kB +15 B (0%)
./dist/browser.full-bundle.min.js 370 kB +1 B
./dist/index.es.js 103 kB +11 B (0%)
./dist/index.js 105 kB +13 B (0%)
ℹ️ View Unchanged
Filename Size Change
./dist/css/index.css 22.8 kB 0 B
./dist/css/index.js 21 B 0 B
./dist/i18n/en.json 785 B 0 B
./dist/i18n/fr.json 1.2 kB 0 B
./dist/i18n/hi.json 1.37 kB 0 B
./dist/i18n/it.json 1.14 kB 0 B
./dist/i18n/nl.json 1.12 kB 0 B
./dist/i18n/ru.json 1.4 kB 0 B
./dist/i18n/tr.json 1.13 kB 0 B

compressed-size-action

@vini-btc vini-btc merged commit f8f7ef3 into master Sep 25, 2020
@delete-merged-branch delete-merged-branch bot deleted the fix/CRS-276-improve-attachment-sanitization branch September 25, 2020 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaapbakker88 jaapbakker88 jaapbakker88 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vini-btc @jaapbakker88