VEuPathDB / web-monorepo

A monorepo that contains all frontend code for VEuPathDB websites
Apache License 2.0
2 stars 0 forks source link

EDA and Map - values with < > don't display properly #1170

Open bobular opened 2 months ago

bobular commented 2 months ago

The two values are Aedes <genus> and Aedes <subgenus>

It looks like we're stripping HTML-like tags too aggressively?

image

dmfalke commented 2 months ago

I haven't looked, but we are probably displaying the values as html, in which case values in angle brackets would be interpreted as html tags. I don't remember the background as to why we treat them as html, but it's probably not a great idea. I'll have to dig around commit messages.

dmfalke commented 2 months ago

If I recall correctly, we wanted to support italics for organism names, etc.

We could have an allow-list of html tags we support, and encode any angle brackets that are not used in conjunction with those tags.

I'm envisioning a function with this interface:

declare function sanitizeHtml(html: string, allowedTags: string[]): string

And used like this:

sanitizeHtml(source, ['i', 'b'])
bobular commented 2 months ago

Here's the safeHtml function we should probably improve https://github.com/VEuPathDB/web-monorepo/blob/8b5d70e76147fbb7164786187ae0b16871bc9923/packages/libs/wdk-client/src/Utils/ComponentUtils.tsx#L256

It's called from here https://github.com/VEuPathDB/web-monorepo/blob/8b5d70e76147fbb7164786187ae0b16871bc9923/packages/libs/wdk-client/src/Components/AttributeFilter/MembershipField.jsx#L508

Any tag that isn't "safe" should be escaped so <genus> becomes &lt;genus;&gt;

dmfalke commented 2 months ago

I was thinking we would pass the output of the sanitizeHtml function to safeHtml:

safeHtml(sanitizeHtml(value, ['i', 'b']))

Otherwise, we will need to a new parameter to safeHtml.