search

pegasystems / constellation-ui-gallery

This open-source repository provides a collection of ready-to-use and customizable Constellation DX components. Use this resource to gain inspiration, best practices, and a solid foundation for implementing custom components.
https://pegasystems.github.io/constellation-ui-gallery/
Apache License 2.0
32 stars 28 forks source link

creates secure rich text editor component. #86

Closed Akshansr closed 2 weeks ago

Akshansr commented 3 weeks ago

Secure rich text editor provides a safe and versatile rich text editing experience, with essential formatting tools while restricting URL and image insertions to enhance application security and prevent XSS attacks.

Akshansr commented 2 weeks ago

There are several issues with the PR

  • If you cannot add images or URL, all the handlers should be removed - there are code in utils and index that seems unnecessary
  • You can still inject img and url if you open your browser or paste html markup in the value prop - the code should sanetize and remove any img or url before sending it to the server - we need to use DOMPurify to clean up the markup and avoid any injecting if we want to advertise that this component is safer

We have updated the code by removing all unused image handlers and are now sanitising the content to filter out any images or links before it is inserted into the editor. Content will be sanitised In both cases whether images / links are hardcoded or pasted directly by the user, ensuring that images cannot be injected in any way. As a result, the component is now more secure and safe.