feat(project): sanitize html content

- dompurify package added to sanitze content Solves #47
jwplayer · Jul 7, 2022 · 658f199 · 658f199
1 parent 9bdb26e
commit 658f199
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
   "dependencies": {
     "allure-commandline": "^2.17.2",
     "classnames": "^2.3.1",
+    "dompurify": "^2.3.8",
     "history": "^4.10.1",
     "i18next": "^20.3.1",
     "i18next-browser-languagedetector": "^6.1.1",
@@ -63,6 +64,7 @@
     "@commitlint/config-conventional": "^12.1.1",
     "@testing-library/jest-dom": "^5.16.4",
     "@testing-library/react": "^11.2.6",
+    "@types/dompurify": "^2.3.3",
     "@types/jwplayer": "^8.2.7",
     "@types/lodash.merge": "^4.6.6",
     "@types/node": "^17.0.23",
@@ -124,4 +126,4 @@
     "glob-parent": "^5.1.2",
     "codeceptjs/**/ansi-regex": "^4.1.1"
   }
-}
+}
diff --git a/src/components/Account/Account.tsx b/src/components/Account/Account.tsx
@@ -2,6 +2,7 @@ import React, { useMemo } from 'react';
 import { useTranslation } from 'react-i18next';
 import { useHistory } from 'react-router-dom';
 import shallow from 'zustand/shallow';
+import DOMPurify from 'dompurify';
 
 import type { FormSectionContentArgs, FormSectionProps } from '../Form/FormSection';
 import Visibility from '../../icons/Visibility';
@@ -59,9 +60,9 @@ const Account = ({ panelClassName, panelHeaderClassName }: Props): JSX.Element =
   );
 
   const formatConsentLabel = (label: string): string | JSX.Element => {
-    // @todo sanitize consent label to prevent XSS
-    const hasHrefOpenTag = /<a(.|\n)*?>/.test(label);
-    const hasHrefCloseTag = /<\/a(.|\n)*?>/.test(label);
+    const sanitizedLabel = DOMPurify.sanitize(label);
+    const hasHrefOpenTag = /<a(.|\n)*?>/.test(sanitizedLabel);
+    const hasHrefCloseTag = /<\/a(.|\n)*?>/.test(sanitizedLabel);
 
     if (hasHrefOpenTag && hasHrefCloseTag) {
       return <span dangerouslySetInnerHTML={{ __html: label }} />;

diff --git a/src/components/RegistrationForm/RegistrationForm.tsx b/src/components/RegistrationForm/RegistrationForm.tsx
@@ -1,6 +1,7 @@
 import React from 'react';
 import { useHistory } from 'react-router';
 import { useTranslation } from 'react-i18next';
+import DOMPurify from 'dompurify';
 
 import useToggle from '../../hooks/useToggle';
 import { addQueryParam } from '../../utils/history';
@@ -56,9 +57,9 @@ const RegistrationForm: React.FC<Props> = ({
   const history = useHistory();
 
   const formatConsentLabel = (label: string): string | JSX.Element => {
-    // @todo sanitize consent label to prevent XSS
-    const hasHrefOpenTag = /<a(.|\n)*?>/.test(label);
-    const hasHrefCloseTag = /<\/a(.|\n)*?>/.test(label);
+    const sanitizedLabel = DOMPurify.sanitize(label);
+    const hasHrefOpenTag = /<a(.|\n)*?>/.test(sanitizedLabel);
+    const hasHrefCloseTag = /<\/a(.|\n)*?>/.test(sanitizedLabel);
 
     if (hasHrefOpenTag && hasHrefCloseTag) {
       return <span dangerouslySetInnerHTML={{ __html: label }} />;

diff --git a/yarn.lock b/yarn.lock
@@ -1574,6 +1574,13 @@
   resolved "https://registry.yarnpkg.com/@types/chai/-/chai-4.3.1.tgz#e2c6e73e0bdeb2521d00756d099218e9f5d90a04"
   integrity sha512-/zPMqDkzSZ8t3VtxOa4KPq7uzzW978M9Tvh+j7GHKuo6k6GTLxPJ4J5gE5cjfJ26pnXst0N5Hax8Sr0T2Mi9zQ==
 
+"@types/dompurify@^2.3.3":
+  version "2.3.3"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-2.3.3.tgz#c24c92f698f77ed9cc9d9fa7888f90cf2bfaa23f"
+  integrity sha512-nnVQSgRVuZ/843oAfhA25eRSNzUFcBPk/LOiw5gm8mD9/X7CNcbRkQu/OsjCewO8+VIYfPxUnXvPEVGenw14+w==
+  dependencies:
+    "@types/trusted-types" "*"
+
 "@types/estree@0.0.39":
   version "0.0.39"
   resolved "https://registry.yarnpkg.com/@types/estree/-/estree-0.0.39.tgz#e177e699ee1b8c22d23174caaa7422644389509f"
@@ -1752,7 +1759,7 @@
   dependencies:
     "@types/jest" "*"
 
-"@types/trusted-types@^2.0.2":
+"@types/trusted-types@*", "@types/trusted-types@^2.0.2":
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/@types/trusted-types/-/trusted-types-2.0.2.tgz#fc25ad9943bcac11cceb8168db4f275e0e72e756"
   integrity sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg==
@@ -3474,6 +3481,11 @@ domhandler@^4.3.1:
   dependencies:
     domelementtype "^2.2.0"
 
+dompurify@^2.3.8:
+  version "2.3.8"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.8.tgz#224fe9ae57d7ebd9a1ae1ac18c1c1ca3f532226f"
+  integrity sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw==
+
 domutils@^1.5.1:
   version "1.7.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"