caution-tape-bot[bot]
commented
3 years ago We noticed that this PR either modifies or introduces usage of the dangerouslySetInnerHTML attribute, which can cause cross-site scripting (XSS) vulnerabilities when user controlled values are passed in.
We recommend reviewing your code to ensure that this is what you intended to use and that there is not a safe alternative available.
Docs are available here.
If unavoidable, we reccomend using an HTML sanitizer like DOMPurify to sanitize content before rendering it as HTML.
If you have any questions or are unsure about how to move forward with this, ping #help-appsec and we would be happy to help you out! cc: @Shopify/xss-extermination-squad
Description
https://github.com/Shopify/checkout-ui was created in order to help produce WYSIWYG editors for Shopify checkout extension, but with the latest api changes in the host components it is now breaking for post-purchase to alias its components to
@shopify/checkout-ui-react.In order to unblock partners who currently uses
@shopify/checkout-ui-reactin order to show a preview of post-purchase extensions, we need to create a separate package that tracks the latests components and styles used by post-purchase.This PR brings the whole structure that was present in https://github.com/Shopify/checkout-ui and exposes the components from
checkout-web-ui-post-purchaseinstead.Reviewers
🎩 A tophat of this package would be appreciated. To make this easier to test out changes, I've added an examples folder with a local example. In order to tophat simply follow the instructions in the README located at
examples/latest/README.md.Next steps
Once this PR ships, we will need to turn this repo into a public repository and publish the package.