Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] How do I ignore XSS errors on custom JSX components? #149

Closed
2 tasks done
coindegen opened this issue Mar 13, 2024 · 4 comments · Fixed by #158
Closed
2 tasks done

[question] How do I ignore XSS errors on custom JSX components? #149

coindegen opened this issue Mar 13, 2024 · 4 comments · Fixed by #158

Comments

@coindegen
Copy link

coindegen commented Mar 13, 2024
edited
Loading

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the bug has not already been reported

Versions

"@kitajs/ts-html-plugin": "^1.3.4",

Description

Hi there,

first off, love the project. Has been absolutely flawless so far.

I read the following in your docs (https://kitajs.github.io/ts-html-plugin/#special-cases) :

Ternary and binary operations are evaluated in both sides separately and will throw errors if any of the sides is not safe, even their condition never gets hit at runtime.

I'm finding the XSS plugin exceedingly aggressive, finding errors where there shouldn't be. I'm hoping you can suggest some workarounds. Consider the following code:

<div class="body">
              {collection.website && (
                <Badge externalUrl={collection.website} symbol="website" />
              )}
              {collection.twitter && (
                <Badge externalUrl={collection.twitter} symbol="x" />
              )}
              {collection.discord && (
                <Badge externalUrl={collection.discord} symbol="discord" />
              )}
</div>

Each of these gets flagged as xss-prone content as in the screenshot (whether I use short-circuiting above or switch to ? : syntax makes no difference.) This doesn't feel like the intention behind the plugin at all.

I tried escaping the content like this:

              {collection.website && (
                <Badge
                  externalUrl={Html.escapeHtml(collection.website)}
                  symbol="website"
                />
              )}

But it's still flagged as xss prone.

I don't want to pass the safe attribute to the enclosing <div>, because <Badge /> is a custom component comprising more JSX.

a) Is there a way to mark a component as "safe", like a string primitive?
b) Wouldn't it be more sensible to skip XSS warnings for custom JSX components? Maybe I'm missing something but I only care about that warning on standard HTML tags like <div>, <span>, <p>, etc...

Thanks very much.

image

Steps to Reproduce

use above code snippet

Expected Behavior

No response
@coindegen coindegen changed the title [question] [question] How do I ignore XSS errors on custom JSX components? Mar 13, 2024
@arthurfiorette
Copy link
Member

https://github.com/kitajs/html/tree/master/packages/ts-html-plugin#handling-warnings

@arthurfiorette
Copy link
Member

But I'm pretty sure this is related to #146

@JacopoPatroclo
Copy link

@arthurfiorette I can take a look into this

@arthurfiorette
Copy link
Member

Sure, go for it :)

@JacopoPatroclo JacopoPatroclo mentioned this issue Mar 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle self closing elements ts-html-plugin JacopoPatroclo/html
3 participants
@JacopoPatroclo @arthurfiorette @coindegen