Skip to content
Snippets Groups Projects

sanitise some admin-controlled HTML #406

Merged dakkar requested to merge dakkar/Sharkey-thenautilus:fixes/406 into develop

What does this PR do?

as the static analysis noted, we were passing some values unfiltered from the backend to the fronted. now, in most cases this is prefectly fine, but some of those values are admin-controlled, and not filtered by the backend.

this PR passes those values (instance description and rules) through the sanitizeHtml function, which will remove things like <script> that could be used by a nasty admin to do nasty things. (NOTE: I could not get those scripts to actually execute, but just injecting them felt dangerous enough).

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this pull request

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading