Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Fix stored XSS when rendering tooltips #4770

Merged
merged 1 commit into from
Oct 25, 2024
Merged

fix: Fix stored XSS when rendering tooltips #4770

merged 1 commit into from
Oct 25, 2024

Conversation

rolodato
Copy link
Member

Thanks for submitting a PR! Please check the boxes below:

  • I have added information to docs/ if required so people know about the feature!
  • I have filled in the "Changes" section below?
  • I have filled in the "How did you test this code" section below?
  • I have used a Conventional Commit title for this Pull Request

Changes

Fixes a stored XSS when rendering tooltips. This can be triggered with the following actions:

  • Enabling "Compact view" in the Features list and hovering over a feature with an XSS payload in its description
  • Comparing two environments or identities in a project that has a feature with an XSS payload in its description
  • Visiting the identity details page for any identity in a project containing a feature with an XSS payload in its description

Example description payload:

<img src=x onerror=alert('hello')>

How did you test this code?

Locally by performing the above actions and comparing them to the current release version of the frontend.

@rolodato rolodato added front-end Issue related to the React Front End Dashboard security Security updates labels Oct 24, 2024
@rolodato rolodato requested a review from a team as a code owner October 24, 2024 22:50
@rolodato rolodato requested review from kyle-ssg and removed request for a team October 24, 2024 22:50
@vercel Vercel
Copy link

vercel bot commented Oct 24, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
flagsmith-frontend-preview ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 24, 2024 10:50pm
flagsmith-frontend-staging ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 24, 2024 10:50pm
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
docs ⬜️ Ignored (Inspect) Oct 24, 2024 10:50pm

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 24, 2024
edited
Loading

Docker builds report

Image Build Status Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-4770 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-4770 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-api:pr-4770 Finished ✅ Results
ghcr.io/flagsmith/flagsmith:pr-4770 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-private-cloud:pr-4770 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-frontend:pr-4770 Finished ✅ Results

@rolodato rolodato changed the title Fix stored XSS when rendering tooltips fix: Fix stored XSS when rendering tooltips Oct 24, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 24, 2024
edited
Loading

Uffizzi Preview deployment-57611 was deleted.

matthewelwell
matthewelwell approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@matthewelwell matthewelwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm approving this as I've tested all of the use cases described in the PR (and mentioned by a customer) so I'm happy that it fixes the immediate issue but I do think that the question I've added is a valid one that should be addressed at some point.

frontend/web/components/Tooltip.tsx
@@ -44,7 +45,7 @@ const Tooltip: FC<TooltipProps> = ({
) : (
<div
style={{ wordBreak: 'break-word' }}
dangerouslySetInnerHTML={{ __html: children }}
dangerouslySetInnerHTML={{ __html: sanitize(children) }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really understand why we're even using dangerouslySetInnerHTML here at all? Shouldn't we be able to just render out the text as plain text?

@matthewelwell matthewelwell added this pull request to the merge queue Oct 25, 2024
Merged via the queue into main with commit 96f62c7 Oct 25, 2024
33 checks passed
@matthewelwell matthewelwell deleted the fix/tooltip-stored-xss branch October 25, 2024 08:46
@flagsmithdev flagsmithdev mentioned this pull request Oct 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewelwell matthewelwell matthewelwell approved these changes

@kyle-ssg kyle-ssg Awaiting requested review from kyle-ssg kyle-ssg is a code owner automatically assigned from Flagsmith/flagsmith-front-end

Assignees
No one assigned
Labels
front-end Issue related to the React Front End Dashboard security Security updates
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rolodato @matthewelwell