Antonio-Maranhao opened a new pull request, #1407:
URL: https://github.com/apache/couchdb-fauxton/pull/1407
## Overview
The `dangeroulySetInnerHTML` React property was being used by Notification
components to allow formatting of the message by embedding HTML elements
directly in the message. This flexibility can become a security issue because
messages might include data provided by users (e.g. document IDs), in which
case it can be used for HTML injection.
This PR removes uses of `dangerouslySetInnerHTML` in the Notification
components in favor of embedding the input msg as a normal React node, which
then is properly sanitized by React.
## Testing recommendations
Test notifications: e.g. create or delete a document and validate the
notification is still displayed.
## GitHub issue number
n/a
## Related Pull Requests
n/a
## Checklist
- [x] Code is written and works correctly;
- [ ] Changes are covered by tests;
- [ ] Documentation reflects the changes;
- [ ] Update
[rebar.config.script](https://github.com/apache/couchdb/blob/main/rebar.config.script)
with the correct tag once a new Fauxton release is made
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
