search

digitalfabrik / integreat-app

React JS and React Native App for Integreat
https://integreat.app
MIT License
46 stars 14 forks source link

IGAPP-619: Sanitize all html in endpoints #1596

Closed jira-to-github-migrator[bot] closed 1 year ago

jira-to-github-migrator[bot] commented 1 year ago

steffenkleinle - 26.4.2021, 11:21:41

To avoid xss attacks we should make sure that all html we get from all endpoints is correctly sanitized and does not contain any malicious scripts. Check all endpoints, especially tüNews and every endpoint querying a content property. Also check both web and native for any occurrences where html is rendered (web: dangerouslySetInnerHTML, native: react-native-render-html or react-native-webview).

The cms team mentioned that our current sanitizing is not enough: https://chat.tuerantuer.org/digitalfabrik/pl/jck99ptu6b8ffxx1dj9agpzi9y Make sure our sanitizing really removes all potentially malicious stuff! Mabye we need/should use another library like isomorphic-dompurify. Don't forget to remove the types for sanitize-html-react in

api-client/src/@types/sanitize-html-react

Environment: - Linked issues:

jira-to-github-migrator[bot] commented 1 year ago

Jan Waeckers - 29.4.2021, 22:03:33

sanitizeHtmlReact is not working correctly and outdated. It will be replaced by another libary like dompurify

sarahsporck - 2.6.2021, 14:42:30

I think dompurify does not work for native. If it does not take a look at isomorphic-dompurify

Jan Waeckers - 9.6.2021, 20:18:35

<~sarah.sporck> I asume I need to test the native functionality on a mobile device?