Merge branch '335684-remove-attribute-sanitization-from-dompurify-configuration' into 'master'

Remove attribute sanitization from DOMPurify configuration See merge request gitlab-org/gitlab!66502

Merge branch '335684-remove-attribute-sanitization-from-dompurify-configuration' into 'master'
Remove attribute sanitization from DOMPurify configuration See merge request gitlab-org/gitlab!66502
d8f9941e · Kushal Pandya · c83308d7 · 9dcf3f0b · d8f9941e
Commit d8f9941e authored Jul 26, 2021 by Kushal Pandya
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 13 deletions

app/assets/javascripts/lib/dompurify.js app/assets/javascripts/lib/dompurify.js +4 -13

No files found.
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
 import { sanitize as dompurifySanitize, addHook } from 'dompurify';
 import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility';

-// Safely allow SVG <use> tags
-
 const defaultConfig = {
+  // Safely allow SVG <use> tags
  ADD_TAGS: ['use'],
+  // Prevent possible XSS attacks with data-* attributes used by @rails/ujs
+  // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
+  FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
 };

-const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
-
 // Only icons urls from `gon` are allowed
 const getAllowedIconUrls = (gon = window.gon) =>
  [gon.sprite_file_icons, gon.sprite_icons].filter(Boolean);
@@ -46,19 +46,10 @@ const sanitizeSvgIcon = (node) => {
  removeUnsafeHref(node, 'xlink:href');
 };

-const sanitizeHTMLAttributes = (node) => {
-  forbiddenDataAttrs.forEach((attr) => {
-    if (node.hasAttribute(attr)) {
-      node.removeAttribute(attr);
-    }
-  });
-};
-
 addHook('afterSanitizeAttributes', (node) => {
  if (node.tagName.toLowerCase() === 'use') {
    sanitizeSvgIcon(node);
  }
-  sanitizeHTMLAttributes(node);
 });

 export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config);