feat: make html sanitization optional #6432
Open
+5
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR fulfills these requirements
[fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made
ex.fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
Change has impacts in these area(s)
(check all that apply)
Describe the reason for change
We inject supplementary details into the labeler's interface that they need when making informed labeling decisions (but which isn't the object being labelled). This is usually data types which are not currently supported by LS (for example an interactive scrollable/zoomable map showing some geojson). Additionally this lets us smooth over any small gaps between what LS offers and what we need for any specific use case, without needing to fork LS.
Until #5232, we could use the
HyperText
tag for this, injecting elements & scripts. However that no longer works. It is pretty reasonable that you want to limit peoples ability to mess with the DOM, but in practice this code injection approach can work well.What does this fix?
See above. Here's a few other people encountering similar issues #5860 #5688
What is the new behavior?
The
<HyperText>
tag now has an optionalsanitizeHtml
argument (default true; keep the old behavior), which can be used to bypass sanitization.What is the current behavior?
When using the
<HyperText>
tag, the specified html is always sanitized, removing several tag types (script etc). There is no way to opt out of this.What libraries were added/updated?
None
Does this change affect performance?
Not measurably
Does this change affect security?
Code injection if misused, but its opt-in, user is accepting that risk. Partially mitigated via CSP.
What alternative approaches were there?
Currently we are using v1.10.01 as its the last version before html sanitization was added.
A better overall approach might be to support a html/iframe "visual & experience tag" as the use case for this is not as part of the object being labeled.
What feature flags were used to cover this change?
None, its already opt-in
Does this PR introduce a breaking change?
(check only one)
What level of testing was included in the change?
(check all that apply)
I'd happily take some guidance on where there relevant tests are, and fill the gap. I struggled to orient myself within the mobx-statetree stuff.
Which logical domain(s) does this change affect?
frontend