Open bobular opened 2 months ago
I haven't looked, but we are probably displaying the values as html, in which case values in angle brackets would be interpreted as html tags. I don't remember the background as to why we treat them as html, but it's probably not a great idea. I'll have to dig around commit messages.
If I recall correctly, we wanted to support italics for organism names, etc.
We could have an allow-list of html tags we support, and encode any angle brackets that are not used in conjunction with those tags.
I'm envisioning a function with this interface:
declare function sanitizeHtml(html: string, allowedTags: string[]): string
And used like this:
sanitizeHtml(source, ['i', 'b'])
Here's the safeHtml
function we should probably improve
https://github.com/VEuPathDB/web-monorepo/blob/8b5d70e76147fbb7164786187ae0b16871bc9923/packages/libs/wdk-client/src/Utils/ComponentUtils.tsx#L256
It's called from here https://github.com/VEuPathDB/web-monorepo/blob/8b5d70e76147fbb7164786187ae0b16871bc9923/packages/libs/wdk-client/src/Components/AttributeFilter/MembershipField.jsx#L508
Any tag that isn't "safe" should be escaped so <genus>
becomes <genus;>
I was thinking we would pass the output of the sanitizeHtml
function to safeHtml
:
safeHtml(sanitizeHtml(value, ['i', 'b']))
Otherwise, we will need to a new parameter to safeHtml
.
The two values are
Aedes <genus>
andAedes <subgenus>
It looks like we're stripping HTML-like tags too aggressively?