add escape html to htmlContent on conversation list (#589)

* add escape html to htmlContent on conversation list * update ruby * update ruby version
chaskiq · Jan 13, 2022 · 1990a7a · 1990a7a
1 parent 0a18ea1
commit 1990a7a
Show file tree

Hide file tree

Showing 11 changed files with 32 additions and 20 deletions.
diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml
@@ -12,7 +12,7 @@ jobs:
       - name: Build the Container image
         run: |
           docker build --build-arg APP_ENV=production \
-               --build-arg RUBY_VERSION=2.7.2 \
+               --build-arg RUBY_VERSION=2.7.5 \
                --build-arg PG_MAJOR=11 \
                --build-arg NODE_MAJOR=12 \
                --build-arg YARN_VERSION=1.13.0 \

diff --git a/.github/workflows/docker-image-ghcr.yml b/.github/workflows/docker-image-ghcr.yml
@@ -43,7 +43,7 @@ jobs:
           build-args: |
             "APP_ENV=production"
             "NODE_ENV=production"
-            "RUBY_VERSION=2.7.2"
+            "RUBY_VERSION=2.7.5"
             "PG_MAJOR=11"
             "NODE_MAJOR=12"
             "YARN_VERSION=1.13.0"

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Build the Docker image
         run: |
           docker build --build-arg APP_ENV=production \
-               --build-arg RUBY_VERSION=2.7.2 \
+               --build-arg RUBY_VERSION=2.7.5 \
                --build-arg PG_MAJOR=11 \
                --build-arg NODE_MAJOR=12 \
                --build-arg YARN_VERSION=1.13.0 \

diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml
@@ -25,7 +25,7 @@ jobs:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.7.2
+        ruby-version: 2.7.5
 
     # This step is not necessary if you add the gem to your Gemfile
     # - name: Install Code Scanning integration

diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.7.2
+2.7.5
diff --git a/Gemfile b/Gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby "2.7.2"
+ruby "2.7.5"
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
 gem "pg"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -688,7 +688,7 @@ DEPENDENCIES
   webpacker (~> 5.4.0)
 
 RUBY VERSION
-   ruby 2.7.2p137
+   ruby 2.7.5p203
 
 BUNDLED WITH
    2.1.4
diff --git a/app/javascript/packages/components/src/utils/htmlSanitize.ts b/app/javascript/packages/components/src/utils/htmlSanitize.ts
@@ -2,3 +2,10 @@ export default function extractContent(html) {
   return new DOMParser().parseFromString(html, 'text/html').documentElement
     .textContent;
 }
+
+export function escapeHTML(unsafe) {
+  return unsafe.replace(
+    /[\u0000-\u002F\u003A-\u0040\u005B-\u0060\u007B-\u00FF]/g,
+    (c) => '&#' + ('000' + c.charCodeAt(0)).substr(-4, 4) + ';'
+  );
+}
diff --git a/app/javascript/src/pages/conversations/ItemList.tsx b/app/javascript/src/pages/conversations/ItemList.tsx
@@ -2,7 +2,9 @@ import React from 'react';
 import { Link } from 'react-router-dom';
 import Moment from 'react-moment';
 import { readableColor } from 'polished';
-import sanitizeHtml from '@chaskiq/components/src/utils/htmlSanitize';
+import sanitizeHtml, {
+  escapeHTML,
+} from '@chaskiq/components/src/utils/htmlSanitize';
 import { LabelIcon } from '@chaskiq/components/src/components/icons';
 import Avatar from '@chaskiq/components/src/components/Avatar';
 
@@ -16,7 +18,7 @@ export default function ConversationItemList({ app, conversation }) {
   const renderConversationContent = (o) => {
     const message = o.lastMessage.message;
     if (message.htmlContent) {
-      return sanitizeHtml(message.htmlContent).substring(0, 250);
+      return sanitizeHtml(escapeHTML(message.htmlContent)).substring(0, 250);
     }
   };
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,16 +1,18 @@
 version: '2.4'
 
-x-app: &app
+x-app:
+  &app
   build:
     context: .
     dockerfile: ./Dockerfile.development
     args:
-      RUBY_VERSION: '2.7.2'
+      RUBY_VERSION: '2.7.5'
       PG_MAJOR: '11'
       NODE_MAJOR: '12'
       YARN_VERSION: '1.13.0'
       BUNDLER_VERSION: '2.0.2'
-  environment: &env
+  environment:
+    &env
     NODE_ENV: development
     RAILS_ENV: ${RAILS_ENV:-development}
     ANYCABLE_DEBUG: ${DEBUG:-0}
@@ -19,7 +21,8 @@ x-app: &app
   tmpfs:
     - /tmp
 
-x-backend: &backend
+x-backend:
+  &backend
   <<: *app
   stdin_open: true
   tty: true
@@ -126,9 +129,9 @@ services:
       WEBPACKER_DEV_SERVER_HOST: 0.0.0.0
 
 volumes:
-  postgres:
-  redis:
-  bundle:
-  node_modules:
-  rails_cache:
-  packs:
+  postgres: null
+  redis: null
+  bundle: null
+  node_modules: null
+  rails_cache: null
+  packs: null
diff --git a/hooks/build b/hooks/build
@@ -1,7 +1,7 @@
 #!/usr/bin/env sh
 
 docker build --build-arg APP_ENV=production \
-             --build-arg RUBY_VERSION=2.7.2 \
+             --build-arg RUBY_VERSION=2.7.5 \
              --build-arg PG_MAJOR=11 \
              --build-arg NODE_MAJOR=12 \
              --build-arg YARN_VERSION=1.13.0 \