New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move safeHtml to React component. #3335
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! A few minor notes:
-
components/common
is the location where we usually keep components likeSafeHtmlDocument
viewer that are included in multiple other components. Could you extract the component into its own file in that directory? -
Could you add tests (that cover at least the existing Python test cases)? There are few tests at the moment for the frontend codebase, but we try to add them for new stuff and it would be valuable especially for critical stuff like HTML sanitization imo. You can take a look at this test suite for the testing boilerplate: https://github.com/alephdata/aleph/blob/develop/ui/src/components/Timeline/util.test.ts
-
There’s a reference to
safeHtml
inui/src/selectors.js
that can be removed, too.
I resolved the proposed changes.
I would argue that this After looking into the different "viewers", i would instead argue that this I was looking into refactoring that right away, but i couldn't quickly make sense of where the Therefore i just moved |
The merge conflict seems to be caused by the |
5ce8471
to
26ee925
Compare
Merge conflict has been fixed, can this get merged? |
Hi @monneyboi, sorry I haven’t replied earlier. I took another look at this PR and noticed that it doesn’t sanitize some HTML markup properly that can trigger HTTP requests to third parties, e.g. Also, HTML documents that contain forms seem to be sanitized differently, although I don’t think this would be a security issue. Although I’m not against moving the HTML sanitization to the client-side per se, unfortunately I currently have limited bandwith to consider all the possible implications that this change might have. I have however opened a small PR that fixes a bug causing incorrect previews for some web pages. This should fix preview e.g. for politico.eu: #3575 |
Fixes #3334. I propose to move the safe html rendering to React for a couple of reasons:
bodyHtml
is being sent over the wire anyway.I would love to have used the HTML sanitizer API for this, but that's not yet supported in all major browsers. So i used DOMPurify instead, as proposed by Mozilla in their documentation on safely inserting HTML content in browser extensions.
This move also allowed me to drop the LXML python requirement.