Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: xss when rendering schema errors #4256

Merged
merged 10 commits into from
Jul 27, 2024
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ should change the heading of the (upcoming) version to include a major version b

# 5.19.4

## @rjsf/core

- Fix XSS when rendering schema validation errors [#4254](https://github.com/rjsf-team/react-jsonschema-form/issues/2718)
heath-freenome marked this conversation as resolved.
Show resolved Hide resolved
- NOTE: This will have potential consequences if you are using the [translateString](https://rjsf-team.github.io/react-jsonschema-form/docs/api-reference/form-props/#translatestring) feature and are trying to render HTML. Switching to [Markdown](https://www.markdownguide.org/) will solve your problems.

## @rjsf/utils

- Updated the `ValidatorType` interface to add an optional `reset?: () => void` prop that can be implemented to reset a validator back to initial constructed state
Expand Down
2 changes: 1 addition & 1 deletion packages/core/src/components/fields/ObjectField.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ class ObjectField<T = any, S extends StrictRJSFSchema = RJSFSchema, F extends Fo
return (
<div>
<p className='config-error' style={{ color: 'red' }}>
<Markdown>
<Markdown options={{ disableParsingRawHTML: true }}>
{translateString(TranslatableString.InvalidObjectField, [name || 'root', (err as Error).message])}
</Markdown>
</p>
Expand Down
7 changes: 5 additions & 2 deletions packages/core/src/components/fields/SchemaField.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -201,8 +201,11 @@ function SchemaFieldRender<T = any, S extends StrictRJSFSchema = RJSFSchema, F e

const description = uiOptions.description || props.schema.description || schema.description || '';

const richDescription = uiOptions.enableMarkdownInDescription ? <Markdown>{description}</Markdown> : description;

const richDescription = uiOptions.enableMarkdownInDescription ? (
<Markdown options={{ disableParsingRawHTML: true }}>{description}</Markdown>
) : (
description
);
const help = uiOptions.help;
const hidden = uiOptions.widget === 'hidden';

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ function UnsupportedField<T = any, S extends StrictRJSFSchema = RJSFSchema, F ex
return (
<div className='unsupported-field'>
<p>
<Markdown>{translateString(translateEnum, translateParams)}</Markdown>
<Markdown options={{ disableParsingRawHTML: true }}>{translateString(translateEnum, translateParams)}</Markdown>
</p>
{schema && <pre>{JSON.stringify(schema, null, 2)}</pre>}
</div>
Expand Down