Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing bug: Unsafe HTML constructed from library input #3312

Merged
merged 5 commits into from
Jan 29, 2025
Merged

Fixing bug: Unsafe HTML constructed from library input #3312

merged 5 commits into from
Jan 29, 2025

Conversation

navya9singh
Copy link
Member

This PR fixes https://liquid.microsoft.com/codeql/issues/71221708-d80d-49f5-b177-1b536b3b3e22 where unsafe HTML was constructed from library input. Fix is according to the recommendation provided by https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM03892#Zguide.

@navya9singh navya9singh added the deploy-preview Enables automatic deployments to preview environments on a PR label Jan 27, 2025
@navya9singh navya9singh added deploy-preview Enables automatic deployments to preview environments on a PR and removed deploy-preview Enables automatic deployments to preview environments on a PR labels Jan 28, 2025
@orta
Copy link
Contributor

orta commented Jan 29, 2025

I'd recommend switching the text for that button to use innerText instead of innerHtml and then manually adding the span, it's got a problem with the DOM insert, which innerText protect against naturally

( But no idea what's going on with that dependency, Gatsby normally bundles deps, maybe it makes a networking request inside its codebase? )

@jakebailey
Copy link
Member

Yeah, the code I am suggesting is:

const versionButton = document.querySelectorAll("#versions > a").item(0)
versionButton.textContent = "v" + sandbox.ts.version + " "
const caret = document.createElement("spam")
caret.classList.add("caret")
versionButton.appendChild(caret)

or similar

jakebailey
jakebailey reviewed Jan 29, 2025
View reviewed changes
packages/playground/package.json Outdated
@@ -17,7 +17,8 @@
"dependencies": {
"@typescript/playground-worker": "workspace:*",
"@typescript/sandbox": "workspace:*",
"esbuild": "^0.17.8"
"esbuild": "^0.17.8",
"striptags": "^3.2.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes to package.json / pnpm-lock can now be reverted.

@navya9singh navya9singh added deploy-preview Enables automatic deployments to preview environments on a PR and removed deploy-preview Enables automatic deployments to preview environments on a PR labels Jan 29, 2025
@github-actions GitHub Actions
Copy link
Contributor

Azure Static Web Apps: Your stage site is ready! Visit it here: https://victorious-plant-05c166c10-3312.centralus.5.azurestaticapps.net

jakebailey
jakebailey approved these changes Jan 29, 2025
View reviewed changes
Copy link
Member

@jakebailey jakebailey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work.

@navya9singh navya9singh merged commit 775d2ab into v2 Jan 29, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakebailey jakebailey jakebailey approved these changes

Assignees
No one assigned
Labels
deploy-preview Enables automatic deployments to preview environments on a PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@navya9singh @orta @jakebailey