Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Draft: feat(SafeHtml): remove style attrs and tags

Review changes
Download
Patches
Plain diff

Dheeraj Joshi requested to merge djadmin-v-safe-html-forbid-styles into main Oct 18, 2021

Overview 10
Commits 2
Pipelines 2
Changes 2

What does this MR do and why?

DOMPurify (used by v-safe-html) allows style tags and attributes by default.

https://github.com/cure53/DOMPurify/blob/main/src/tags.js#L100
https://github.com/cure53/DOMPurify/blob/main/src/attrs.js#L259

This MR is updating the default configuration to remove all the tags / attrs which can potentially mutate page stylings. This is to add defense-in-depth and avoid issues like phishing attacks with the help of HTML Injection.

Some related discussions at gitlab#342988 (comment 705893457).

Does this MR meet the acceptance criteria?

Conformity

Code review guidelines.
GitLab UI's contributing guidlines.
If it changes a Pajamas-compliant component's look & feel, the MR has been reviewed by a UX designer.
If it changes GitLab UI's documentation guidelines, the MR has been reviewed by a Technical Writer.
If the MR changes a component's API, integration MR(s) have been opened in the following projects to ensure that the @gitlab/ui package can be upgraded quickly after the changes are released:
- GitLab: mr_url
- CustomersDot: mr_url
- Status Page: mr_url
Added the ~"component:*" label(s) if applicable.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
Security reports checked/validated by a reviewer from the AppSec team

Edited Oct 20, 2021 by Dheeraj Joshi

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading