DOMPurify: Disallow form tag by default
Implements https://gitlab.com/gitlab-org/gitlab/-/issues/370314.
What does this MR do and why?
This MR forbids the <form>
and in <input>
DOMPurify
& v-safe-html
. This is being done to prevent possible injection attacks.
To learn more about the security part of it, see related issue.
This change is feature flag controlled with a new flag dompurify_advance_filter
.
Note: The input tags will be forbidden with #383333.
Screenshots or screen recordings
No visual changes for users.
How to set up and validate locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dheeraj Joshi