Skip to content

Commit

Permalink
security: sanitize key_value field content (avo-hq#2357)
Browse files Browse the repository at this point in the history
  • Loading branch information
adrianthedev authored Jan 12, 2024
1 parent adc874f commit 51bb80b
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/javascript/js/controllers/fields/key_value_controller.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
/* eslint-disable max-len */
import * as DOMPurify from 'dompurify'
import { Controller } from '@hotwired/stimulus'
import { castBoolean } from '../../helpers/cast_boolean'

Expand Down Expand Up @@ -80,7 +81,7 @@ export default class extends Controller {
let index = 0
this.fieldValue.forEach((row) => {
const [key, value] = row
result += this.interpolatedRow(key, value, index)
result += this.interpolatedRow(DOMPurify.sanitize(key), DOMPurify.sanitize(value), index)
index++
})
this.rowsTarget.innerHTML = result
Expand Down
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"codemirror": "5.59.1",
"core-js": "^3.35.0",
"css-loader": "^6.9.0",
"dompurify": "^3.0.8",
"easymde": "^2.18.0",
"el-transition": "^0.0.7",
"esbuild": "^0.14.54",
Expand Down
5 changes: 5 additions & 0 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2090,6 +2090,11 @@ doctrine@^3.0.0:
dependencies:
esutils "^2.0.2"

dompurify@^3.0.8:
version "3.0.8"
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437"
integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==

easymde@^2.18.0:
version "2.18.0"
resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"
Expand Down

0 comments on commit 51bb80b

Please sign in to comment.