Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitizing HTML from component label, tooltip and description #5121

Merged
merged 4 commits into from
Mar 10, 2025
Merged

Sanitizing HTML from component label, tooltip and description #5121

merged 4 commits into from
Mar 10, 2025

Conversation

robinmolen
Copy link
Contributor

@robinmolen robinmolen commented Feb 25, 2025
edited
Loading

Closes open-formulieren/security-issues#36

Changes

Added a simplistic sanitize function that sanitizes component label, tooltip and description when saving the component. This function allows a list of HTML tags and attributes, based on what formbuilders are currently using. Any html tags/attributes, that aren't in the allow list, are removed (only their content remains).

Checklist

Check off the items that are completed or not relevant.

  • Impact on features

    • Checked copying a form
    • Checked import/export of a form
    • Config checks in the configuration overview admin page
    • Problem detection in the admin email digest is handled

  • Release management

    • I have labelled the PR as "needs-backport" accordingly

  • I have updated the translations assets (you do NOT need to provide translations)

    • Ran ./bin/makemessages_js.sh
    • Ran ./bin/compilemessages_js.sh

  • Dockerfile/scripts

    • Updated the Dockerfile with the necessary scripts from the ./bin folder

  • Commit hygiene

    • Commit messages refer to the relevant Github issue
    • Commit messages explain the "why" of change, not the how

@codecov Codecov
Copy link

codecov bot commented Feb 25, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 96.15385% with 1 line in your changes missing coverage. Please review.

Project coverage is 96.74%. Comparing base (f8ac4ef) to head (1d1a642).
Report is 23 commits behind head on master.

Files with missing lines Patch % Lines
...openforms/forms/api/serializers/form_definition.py 90.90% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5121      +/-   ##
==========================================
- Coverage   96.75%   96.74%   -0.01%     
==========================================
  Files         778      779       +1     
  Lines       26741    26774      +33     
  Branches     3474     3483       +9     
==========================================
+ Hits        25873    25903      +30     
- Misses        606      607       +1     
- Partials      262      264       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@robinmolen robinmolen force-pushed the issue/html-in-component-tooltip branch 2 times, most recently from eb578a3 to fa13953 Compare February 27, 2025 08:55
@robinmolen robinmolen marked this pull request as ready for review February 27, 2025 08:58
@robinmolen robinmolen marked this pull request as draft February 27, 2025 09:38
@robinmolen robinmolen force-pushed the issue/html-in-component-tooltip branch from eb970b1 to 899fced Compare March 4, 2025 12:20
@robinmolen
Copy link
Contributor Author

This functionality is only tested on backend api level. We cannot nicely test the frontend sanitizing, because e2e tests will just become bloated/ugly/unreadable.

@robinmolen robinmolen marked this pull request as ready for review March 4, 2025 14:45
@robinmolen robinmolen changed the title Removing HTML from component tooltips Sanitizing HTML from component label, tooltip and description Mar 4, 2025
@robinmolen robinmolen force-pushed the issue/html-in-component-tooltip branch 2 times, most recently from 334b156 to 5ca577a Compare March 5, 2025 10:22
viktorvanwijk
viktorvanwijk requested changes Mar 5, 2025
View reviewed changes
Copy link
Contributor

@viktorvanwijk viktorvanwijk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice :)

@robinmolen
✨ Added html checking to problem detection script
34372e9
@robinmolen
🧪 [open-formulieren/security-issues#36] Added api tests for sanitizin…
00fcd08 
…g the form definition components content

Testing the create and update proces of form definitions
@robinmolen robinmolen force-pushed the issue/html-in-component-tooltip branch from 5ca577a to 537876f Compare March 6, 2025 09:57
@robinmolen
🦺 [open-formulieren/security-issues#36] Backend html content sanitizi…
9ffee5e 
…ng for form definition components

When creating or updating a form definition, the components are sanitized on HTML content. Currently only the component tooltip, description and label will be sanitized.

The sanitizing is done using bleach, and uses a list of allowed tags and attributes. Any html that isn't defined in these lists, will be removed. The content of such a disallowed html component will remain
@robinmolen
🦺 [open-formulieren/security-issues#36] Frontend HTML sanitizing comp…
1d1a642 
…onent data

Added a simplistic sanitize function that sanitizes component data when saving the component. This function removes most HTML content from the label, tooltip, description and placeholder component data. Only basic semantic tags (`a`, `b`, `em`, `i`, `string`, `u`) are allowed. Also the allowed attributes has been limited to `href` on `a` tags.
@robinmolen robinmolen force-pushed the issue/html-in-component-tooltip branch from 537876f to 1d1a642 Compare March 10, 2025 08:47
@sergei-maertens sergei-maertens merged commit 4cb4b65 into master Mar 10, 2025
31 of 33 checks passed
@sergei-maertens sergei-maertens deleted the issue/html-in-component-tooltip branch March 10, 2025 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktorvanwijk viktorvanwijk viktorvanwijk requested changes

@sergei-maertens sergei-maertens sergei-maertens approved these changes

@vaszig vaszig Awaiting requested review from vaszig

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@robinmolen @sergei-maertens @viktorvanwijk