Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Trusted Types #1575

Closed
shhnjk opened this issue Aug 5, 2020 · 2 comments · Fixed by #1614
Closed

Support Trusted Types #1575

shhnjk opened this issue Aug 5, 2020 · 2 comments · Fixed by #1614

Comments

@shhnjk
Copy link
Contributor

shhnjk commented Aug 5, 2020
edited
Loading

Bug Report

When Trusted Types is enabled on a website, following lines causes Trusted Types violation due to string assignment to a dangerous sink (i.e. innerHTML).

react-virtualized/source/vendor/detectElementResize.js

Lines 185 to 187 in aef3918

element.__resizeTriggers__.innerHTML =
'<div class="expand-trigger"><div></div></div>' +
'<div class="contract-trigger"></div>';

This can be prevented by changing those lines to something like:

var expandTriggerDiv = document.createElement('div');
expandTriggerDiv.class = 'expand-trigger';
expandTriggerDiv.appendChild(document.createElement('div'));
var contractTriggerDiv = document.createElement('div');
contractTriggerDiv.class = 'contract-trigger';
element.__resizeTriggers__.appendChild(expandTriggerDiv);
element.__resizeTriggers__.appendChild(contractTriggerDiv);

OR

var htmlString = 
  '<div class="expand-trigger"><div></div></div>' + 
  '<div class="contract-trigger"></div>';
if (window.trustedTypes) {
  var staticPolicy = trustedTypes.createPolicy(
    'react-virtualized-auto-sizer', {createHTML: () => htmlString});
  element.__resizeTriggers__.innerHTML = staticPolicy.createHTML('');
} else {
  element.__resizeTriggers__.innerHTML = htmlString;
}

Note that React already supports Trusted Types.
@shhnjk shhnjk mentioned this issue Aug 20, 2020
Closed
@shhnjk shhnjk mentioned this issue Nov 21, 2020
Merged
@shhnjk
Copy link
Contributor Author

shhnjk commented Nov 23, 2020

@wuweiweiwu, could you take a look at #1614 or #1608 to fix this issue? We are having deployment issue due to this bug. Thanks!

shhnjk added a commit that referenced this issue Dec 9, 2020
@shhnjk
Fix #1575: Create Trusted Type policy for assigning an HTML in detect…
dfc1190 
…ElementResize.js (#1614)

* Create Trusted Type policy for assigning an HTML

Co-authored-by: Jun Kokatsu <Jun.Kokatsu@microsoft.com>
@shhnjk
Copy link
Contributor Author

shhnjk commented Dec 9, 2020

@wuweiweiwu could you create a new v9.22.3 release with dfc1190?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create Trusted Type policy for assigning an HTML in detectElementResize.js
1 participant
@shhnjk