Add rich text editing - Githubissues

yeg-relief / youcanbenefit

YouCanBenefit is a web application that increases social benefit program discoverability for people of lesser means and their allies.

https://youcanbenefit.edmonton.ca

MIT License

13 stars 9 forks source link

Add rich text editing #108

Closed CodyGramlich closed 5 years ago

CodyGramlich commented 5 years ago

Resolves #105. Resolves #43.

This continues off of PR #106. Adds rich text editing to program details, to the about page, and to the documents and resources page.

Rich text editing for program details: rich-text-program-details

Removed detail links and external links. Links can now be easily created within the rich text editor.
Added a custom link handler to check if https:// or http:// is included in the link or not. If it isn't, then it adds it.
Added a custom hr handler to insert a <hr> tag that can be used to divide sections of a page or program details.
Removed program caching for browse section so that the programs are fetched whenever the browse component is created. This was to allow for admin users to check what a program description looks like after making changes to it without having to refresh the page. We might want to keep the program caching here.

CodyGramlich commented 5 years ago

ngx-quill uses Angular's DomSanitizer to sanitize the html in the editor. If the link doesn't start with http:// or https:// and has the string javascript: in it, then the link will be replaced with about:blank. This only sanitizes the client side. One could do an http request with malicious code in the href attribute if we didn't sanitize the html on the backend.

As for the backend, we are using sanitize-html. Calling sanitizeHtml(html) on some html prevents malicious code from getting through. If javascript: is in the href of the <a> tag, then it removes the href.

Even if we didn't sanitize the html on the backend, Angular uses DomSanitizer by default so if there is something like <a href=javascript:alert('hello')></a> then clicking on the link will try to navigate you to unsafe:javascript:alert('hello'); and nothing will happen.

Also, the endpoint to edit pages is under the protected controller and requires authentication.

j-rewerts commented 5 years ago

Always assume evil actors know how to consume your API directly. Your users don't actually have to use the UI if they don't want to. Always sanitize your inputs on the server, even if you also do it on the front end.

As for the protected routes, assume that your authentication has been breached. You can never allow javascript to be put in your data store under any circumstance.

CodyGramlich commented 5 years ago

Makes sense. I meant to describe the security measures that are currently in place. The sanitizeHtml function on the backend takes care of any javascript in href attributes along with a number of other things. https://github.com/punkave/sanitize-html/blob/master/src/index.js

j-rewerts commented 5 years ago

Oh right! 😅