Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-9570

[ui] Rewramp deXSS with sanitize-html package

          Details

          • Type: Bug
          • Status: Resolved
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 4.8.0
          • Fix Version/s: None
          • Component/s: app.editor
          • Labels:
            None

            Description

            Problem Statement : Hue Uses HueUtils.deXSS method to sanitize the String and prevent XSS attack. But it doesn't honor onerror, onclick and another tags which can be injected into DOM, we only honor <script and </script> tag . 

            So I am proposing an change to this by using the Sanitize-html NPM package : 

            https://github.com/apostrophecms/sanitize-html

              Attachments

                Activity

                  People

                  • Assignee:
                    asnaik Akhil S Naik
                    Reporter:
                    asnaik Akhil S Naik
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: