Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROU-11001: Added sanitizeInputValues configuration #431

Merged
merged 6 commits into from
Aug 21, 2024
Merged

ROU-11001: Added sanitizeInputValues configuration #431

merged 6 commits into from
Aug 21, 2024

Conversation

gnbm
Copy link
Collaborator

@gnbm gnbm commented Aug 20, 2024
edited
Loading

This PR is for adding the new sanitizeInputValues configuration.

What was happening

  • When passing HTML to the Grid, mainly on Action and Image Columns and the ContextMenu., we opened a door to an XSS vulnerability.

What was done

  • Added a new sanitizeInputValues configuration to allow the developer to control when to sanitize the Grid's data.
  • The default will be sanitizeInputValues = true so this will be a needed breaking change.

Test Steps

  1. Open a screen with a Link Column
  2. On the Get From Other Sources add to the first position the following text Test <img src=x onerror='alert(String.fromCharCode(88,83,83))'>
  3. Check that now we can see the text and no code is executed

Screenshots

  • Before:

image

  • After the fix:

image

Checklist

  • tested locally
  • documented the code
  • clean all warnings and errors of eslint
  • requires changes in OutSystems
  • requires new sample page in OutSystems

@gnbm gnbm added the chore label Aug 20, 2024
@gnbm gnbm marked this pull request as ready for review August 20, 2024 10:46
@gnbm gnbm requested a review from a team as a code owner August 20, 2024 10:46
@gnbm gnbm requested a review from rugoncalves August 20, 2024 12:20
rugoncalves
rugoncalves previously approved these changes Aug 20, 2024
View reviewed changes
rugoncalves
rugoncalves previously approved these changes Aug 21, 2024
View reviewed changes
@gnbm gnbm requested a review from rugoncalves August 21, 2024 12:46
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

rugoncalves
rugoncalves approved these changes Aug 21, 2024
View reviewed changes
Copy link
Contributor

@rugoncalves rugoncalves left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

@gnbm gnbm merged commit 0844059 into dev Aug 21, 2024
13 checks passed
@gnbm gnbm deleted the ROU-11001 branch August 21, 2024 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OS-giulianasilva OS-giulianasilva OS-giulianasilva approved these changes

@rugoncalves rugoncalves rugoncalves approved these changes

Assignees
No one assigned
Labels
chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gnbm @rugoncalves @OS-giulianasilva