Skip to content

Enable dompurify trusted types#10273

Open
Top-Cat wants to merge 1 commit intoswagger-api:masterfrom
Top-Cat:master
Open

Enable dompurify trusted types#10273
Top-Cat wants to merge 1 commit intoswagger-api:masterfrom
Top-Cat:master

Conversation

@Top-Cat
Copy link

@Top-Cat Top-Cat commented Feb 1, 2025

Add configuration option RETURN_TRUSTED_TYPE to DomPurify setup (https://github.com/cure53/DOMPurify?tab=readme-ov-file#what-about-dompurify-and-trusted-types)

Description

dangerouslySetInnerHTML will support this type automatically in place of a string.
I don't entirely understand why OAS3 trims the html and the base component doesn't but for now I've chosen to avoid updating a load of expected test values. Happy to change this if desired.

Motivation and Context

This allows enabling require-trusted-types-for in CSP to reduce XSS attack surface.

How Has This Been Tested?

Tested local dev server with both the default and an oas3 api (https://petstore3.swagger.io/api/v3/openapi.json)

Screenshots (if appropriate):

(Looks the same as before)

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

There are existing tests covering markdown rendering

@ponelat ponelat added the security fix Security fix generated by WhiteSource label Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by WhiteSource

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Top-Cat @ponelat