Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Opt out from sanitize-html safely? (package too big) #429

Closed
andreasnilssondev opened this issue Sep 13, 2018 · 8 comments · May be fixed by saurabharch/guesstimate-app#4
Closed

Opt out from sanitize-html safely? (package too big) #429

andreasnilssondev opened this issue Sep 13, 2018 · 8 comments · May be fixed by saurabharch/guesstimate-app#4

Comments

@andreasnilssondev
Copy link

Hi, first of all many thanks for this package making life easier for us!

I noticed that our total bundle size suddenly increased by 50%, and after some detective work I pinpointed the issue to the html-sanitizer package added here: #422

This addition made react-tooltip 7(!) times bigger in size and unfortunately that is a dealbreaker for us. Now this was improved a bit by replacing it with sanitize-html-react (#426) but it's still very big for a tooltip component (for our usecase).

I found this tool which gives a graph of the size changes, I don't know the accuracy but it should give an idea at least: https://bundlephobia.com/result?p=react-tooltip@3.8.0

I understand that this is for security purposes, but is there a way to safely opt out from this massive package, we don't really need to let users write the actual html, but we do use some markup where we insert strings from users.

Sorry for potentially stupid question since I don't know the code very well, but is there a way to avoid dangerousslySetInnerHtml and simply render children instead? If that removes the need for sanitizing.

Thanks

@andreasnilssondev andreasnilssondev changed the title Opt out from sanitize-html (safely)? Opt out from sanitize-html safely? (package too big) Sep 13, 2018
@aronhelser
Copy link
Collaborator

Cool - thanks for the info and package size info. I didn't know the package size would increase so much when we included the sanitization. I'm not familiar with what the issues around injection are, so I'm not sure what action we need to take as a component, balanced against this bundle size issue.

@wichniowski and @jgerlier can you give us some idea when/why injection is a issue for a component like this?

@jgerlier
Copy link
Contributor

I'm really not an expert on the subject and I don't know a lot about this package, as I was mainly concerned by the huge size increase the dependency update brought in the app I'm working on. However after a quick look in the code and documentation, I understant the data-tip HTML attribute can be used to pass HTML content, and it is not possible to use only React children, because this piece of HTML is read directly in the DOM and not from a prop by the ReactTooltip component.

I assume it is dangerous to inject plain HTML in the DOM as it can be used to inject a malicious script or something like that.

Is the use case here to declare only one ReactTooltip element, and then reuse it with various content just by changing the data-tip attribute on the elements pointing on it ?

I think using the DOM to pass attributes between React elements is not really the "React" way to do it, so I don't see any solution allowing to remove the sanitization that doesn't imply passing only a string or a React element / render prop as a placeholder (for example by specifying a mapping with a placeholder-id).

@aronhelser
Copy link
Collaborator

I'm thinking about reverting the sanitization completely, and putting in the docs the inputs which must be sanitized if they come from users.

@sgiacinto
Copy link

Hello, we're having this exact same issue. Excellent component and dead easy to implement, however the increase in bundle size due to the sanitation makes it a no-go. Hopefully you can either make it optional or remove it.
Thanks!

@aronhelser
Copy link
Collaborator

@wwayne I haven't had a chance to look at this, but what do you think - is it OK to remove the sanitization and document that if you use 'html' you have to sanitize user input?

@wwayne
Copy link
Collaborator

wwayne commented Dec 5, 2018

@aronhelser yeah I agree, thank you 👍

@wmertens
Copy link

In the meantime I worked around this issue by making a file that exports text => text and telling webpack to alias sanitize-html-react to that file => gzipped bundle size dropped by 30kb

aronhelser added a commit that referenced this issue Jan 1, 2019
Remove sanitize html, to reduce our package size. Document
the need for sanitization in the readme.

Fixes #429
@wwayne
Copy link
Collaborator

wwayne commented Jan 2, 2019

🎉 This issue has been resolved in version 3.9.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

jafin pushed a commit to jafin/react-tooltip that referenced this issue Sep 30, 2022
# 1.0.0-alpha.1 (2022-04-03)

### Bug Fixes

* add aria hidden attribute to style tag ([ReactTooltip#703](https://github.com/CodeForked/react-tooltip/issues/703)) ([d60c2b7](CodeForked/react-tooltip@d60c2b7))
* **aftershow:** call afterShow only after state has fully updated ([54752e8](CodeForked/react-tooltip@54752e8))
* **aphrodite_jss_deprecation:** aphrodite_jss replaced with custom solution ([fcdf7f1](CodeForked/react-tooltip@fcdf7f1))
* **aphrodite_jss_deprecation:** aphrodite_jss replaced with custom solution ([92fcf5b](CodeForked/react-tooltip@92fcf5b))
* **build:** removing single quotes on cpy for windows shell ([ReactTooltip#632](https://github.com/CodeForked/react-tooltip/issues/632)) ([9c280af](CodeForked/react-tooltip@9c280af))
* **colors:** allow customizable text, background, border, arrow colors ([9a85253](CodeForked/react-tooltip@9a85253))
* **compability:** add polyfill and change styles ([ReactTooltip#706](https://github.com/CodeForked/react-tooltip/issues/706)) ([b6e9a1c](CodeForked/react-tooltip@b6e9a1c))
* deleting warning in peer dependencies ([f30ae74](CodeForked/react-tooltip@f30ae74))
* do not delay show if tooltip is already shown ([ReactTooltip#676](https://github.com/CodeForked/react-tooltip/issues/676)) ([e8b9d84](CodeForked/react-tooltip@e8b9d84))
* **domexception:** revert previous changed for unexpected behavior ([85e38bb](CodeForked/react-tooltip@85e38bb)), closes [ReactTooltip#667](https://github.com/CodeForked/react-tooltip/issues/667)
* effect and type not properly applied at first render ([a8d0e51](CodeForked/react-tooltip@a8d0e51))
* **event:** expose the original event to `afterShow` and `afterHide` ([e2f973e](CodeForked/react-tooltip@e2f973e))
* **example:** 'made dev' works again, small fixes. ([7b286bb](CodeForked/react-tooltip@7b286bb)), closes [ReactTooltip#328](https://github.com/CodeForked/react-tooltip/issues/328) [ReactTooltip#341](https://github.com/CodeForked/react-tooltip/issues/341)
* **example:** <p> warning from react, make text match code. ([7c4c979](CodeForked/react-tooltip@7c4c979))
* **examples:** add SVG example ([72a98d7](CodeForked/react-tooltip@72a98d7))
* fix ie edge CustomEvent bug ([ReactTooltip#567](https://github.com/CodeForked/react-tooltip/issues/567)) ([b7f04f7](CodeForked/react-tooltip@b7f04f7)), closes [ReactTooltip#498](https://github.com/CodeForked/react-tooltip/issues/498)
* **getPosition Util:** Remove shouldUpdatePlace check from position check ([1f8a054](CodeForked/react-tooltip@1f8a054)), closes [ReactTooltip#574](https://github.com/CodeForked/react-tooltip/issues/574)
* **getposition:** properly determine parents with will-change: transform ([3a76250](CodeForked/react-tooltip@3a76250))
* **getPosition:** updated getPosition to fix 'maximum update depth' ([8fda305](CodeForked/react-tooltip@8fda305))
* **githubPage:** updating github page build in travis ([87b810a](CodeForked/react-tooltip@87b810a))
* **html:** remove sanitize-html-react, reduce package size ([177ac11](CodeForked/react-tooltip@177ac11)), closes [ReactTooltip#429](https://github.com/CodeForked/react-tooltip/issues/429)
* **index.js:** add missing argument so tooltip hides. ([4d3661b](CodeForked/react-tooltip@4d3661b))
* **index.js:** fix exception when testing with Jest ([ReactTooltip#682](https://github.com/CodeForked/react-tooltip/issues/682)) ([f885f1f](CodeForked/react-tooltip@f885f1f))
* **index.js:** fix state initialization ([69dea07](CodeForked/react-tooltip@69dea07))
* **index.js:** Replaced the deprecated `componentWillReceiveProps`. ([80b71ed](CodeForked/react-tooltip@80b71ed))
* **index.js:** Use correct orientation when mouse enters ([4a0da8b](CodeForked/react-tooltip@4a0da8b)), closes [ReactTooltip#388](https://github.com/CodeForked/react-tooltip/issues/388)
* install dependencies in example travis ([7ba8b28](CodeForked/react-tooltip@7ba8b28))
* **isCapture:** better guard that preserves logic ([28b8493](CodeForked/react-tooltip@28b8493))
* **isCapture:** guard use of currentTarget ([4f89a2d](CodeForked/react-tooltip@4f89a2d))
* **lint:** styles are now linted with stylelint ([3c17198](CodeForked/react-tooltip@3c17198))
* made it possible to pass uuid instead of generating one internally ([ReactTooltip#583](https://github.com/CodeForked/react-tooltip/issues/583)) ([083edfb](CodeForked/react-tooltip@083edfb)), closes [ReactTooltip#580](https://github.com/CodeForked/react-tooltip/issues/580)
* mark prop-types and uuid as external to avoid bundling them ([ReactTooltip#582](https://github.com/CodeForked/react-tooltip/issues/582)) ([fb60855](CodeForked/react-tooltip@fb60855))
* modifying example ([9dc0b2e](CodeForked/react-tooltip@9dc0b2e))
* **no_var:** no vars allowed ([c591804](CodeForked/react-tooltip@c591804))
* **overridePosition:** providing currentEvent in overridePosition ([ReactTooltip#563](https://github.com/CodeForked/react-tooltip/issues/563)) ([3e75a09](CodeForked/react-tooltip@3e75a09)), closes [ReactTooltip#513](https://github.com/CodeForked/react-tooltip/issues/513)
* performance issue caused by excessive use of clearTimeout/Interval ([22aea50](CodeForked/react-tooltip@22aea50))
* providing currentTarget in overridePosition ([ReactTooltip#564](https://github.com/CodeForked/react-tooltip/issues/564)) ([22c3bac](CodeForked/react-tooltip@22c3bac))
* **pr:** package.json fix; refactoring to exclude dependencies ([fdc17d4](CodeForked/react-tooltip@fdc17d4))
* release event listners ([ReactTooltip#534](https://github.com/CodeForked/react-tooltip/issues/534)) ([7cc1203](CodeForked/react-tooltip@7cc1203))
* **selector:** Add support for shadow DOM elements ([99be4d1](CodeForked/react-tooltip@99be4d1))
* **selector:** lint fixes ([873c2a8](CodeForked/react-tooltip@873c2a8))
* set aria-describedby value wrong when custom id ([a04d26c](CodeForked/react-tooltip@a04d26c))
* **showtooltip:** check if tooltipRef is undefined ([ReactTooltip#623](https://github.com/CodeForked/react-tooltip/issues/623)) ([f63eab2](CodeForked/react-tooltip@f63eab2))
* skip warning in example ([a555060](CodeForked/react-tooltip@a555060))
* **src/index.js:** add accessibility support for tabbing ([ReactTooltip#695](https://github.com/CodeForked/react-tooltip/issues/695)) ([ae936a5](CodeForked/react-tooltip@ae936a5))
* **src/index.js:** hide tooltip if blurred (tabbed out) ([ReactTooltip#699](https://github.com/CodeForked/react-tooltip/issues/699)) ([e0a2a1d](CodeForked/react-tooltip@e0a2a1d))
* **src/index.js:** Overwrite `delayHide` on scroll ([7a2d0b3](CodeForked/react-tooltip@7a2d0b3)), closes [ReactTooltip#474](https://github.com/CodeForked/react-tooltip/issues/474)
* **staticMethods:** fixing IE event bug ([ReactTooltip#569](https://github.com/CodeForked/react-tooltip/issues/569)) ([9acc591](CodeForked/react-tooltip@9acc591))
* string into example ([356821b](CodeForked/react-tooltip@356821b))
* **style injection:** change style injection default root ([a00c5b7](CodeForked/react-tooltip@a00c5b7)), closes [ReactTooltip#665](https://github.com/CodeForked/react-tooltip/issues/665)
* **styles:** add styles for shadow dom ([00d1539](CodeForked/react-tooltip@00d1539)), closes [ReactTooltip#597](https://github.com/CodeForked/react-tooltip/issues/597)
* **styles:** change style injection way ([ReactTooltip#668](https://github.com/CodeForked/react-tooltip/issues/668)) ([1e10cce](CodeForked/react-tooltip@1e10cce)), closes [ReactTooltip#650](https://github.com/CodeForked/react-tooltip/issues/650)
* **tooltip:** sanitize HTML to prevent XSS ([182df11](CodeForked/react-tooltip@182df11))
* **type:** added role property to types ([ReactTooltip#679](https://github.com/CodeForked/react-tooltip/issues/679)) ([9b49395](CodeForked/react-tooltip@9b49395))
* **type:** Fix global method parameter type ([ReactTooltip#585](https://github.com/CodeForked/react-tooltip/issues/585)) ([5e2b8db](CodeForked/react-tooltip@5e2b8db))
* **types:** adding types filename to package ([ReactTooltip#579](https://github.com/CodeForked/react-tooltip/issues/579)) ([05d8de2](CodeForked/react-tooltip@05d8de2))
* **types:** adding typescript d.ts file into dist ([e6300f7](CodeForked/react-tooltip@e6300f7)), closes [ReactTooltip#579](https://github.com/CodeForked/react-tooltip/issues/579)
* update uuid module ([d937e59](CodeForked/react-tooltip@d937e59))
* updating styles using transferSas ([f2f7804](CodeForked/react-tooltip@f2f7804))
* using css into example ([7d343af](CodeForked/react-tooltip@7d343af))
* using sass styles with rollup ([bb6fe48](CodeForked/react-tooltip@bb6fe48))
* **uuid:** Use uuid package for unique class names ([ReactTooltip#566](https://github.com/CodeForked/react-tooltip/issues/566)) ([c2c2243](CodeForked/react-tooltip@c2c2243))
* validate lint in pretest ([ad7add0](CodeForked/react-tooltip@ad7add0))

* Merge pull request ReactTooltip#550 from wwayne/refactoring ([4609833](CodeForked/react-tooltip@4609833)), closes [ReactTooltip#550](https://github.com/CodeForked/react-tooltip/issues/550)

### Features

* adding typescript type defs ([ReactTooltip#571](https://github.com/CodeForked/react-tooltip/issues/571)) ([cb2b921](CodeForked/react-tooltip@cb2b921))
* **clickable-prop:** add clickable prop ([a75b2be](CodeForked/react-tooltip@a75b2be)), closes [ReactTooltip#417](https://github.com/CodeForked/react-tooltip/issues/417)
* **component:** adding "padding" property to customize padding style ([9ae765a](CodeForked/react-tooltip@9ae765a))
* convert to typescript ([dc547c1](CodeForked/react-tooltip@dc547c1))
* getContent(dataTip) ([8bfbfc9](CodeForked/react-tooltip@8bfbfc9))
* **getContent:** update Travis, trigger semantic-release ([9617267](CodeForked/react-tooltip@9617267))
* **overridePosition:** Add "overridePosition" property to handle border cases and customize position ([ccb8b58](CodeForked/react-tooltip@ccb8b58))
* **overridePosition:** Added example ([7df8454](CodeForked/react-tooltip@7df8454))
* Small bug fix to previous commit ([19a8a67](CodeForked/react-tooltip@19a8a67))
* The only way to support styling react-tooltips with a strict csp is to inject the style.css di ([cf105a1](CodeForked/react-tooltip@cf105a1)), closes [ReactTooltip#340](https://github.com/CodeForked/react-tooltip/issues/340)
* **tooltip:** Add ability to hover on tooltip. Provide optional delay of updating so if the mouse p ([79342ce](CodeForked/react-tooltip@79342ce))

### Performance Improvements

* **Use sanitize-html-react instead of sanitize-html to avoid useless server side dependencies:** Us ([4b84caa](CodeForked/react-tooltip@4b84caa)), closes [ReactTooltip#424](https://github.com/CodeForked/react-tooltip/issues/424)

### BREAKING CHANGES

* Updating readme for demo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants