-
-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitise HTML in long description of enterprise [read-only] #12470
Sanitise HTML in long description of enterprise [read-only] #12470
Conversation
This happens only on assignment. We still need to migrate existing data.
We will add a migration to sanitise all existing descriptions but before we do that destructive action, it's good to test this in a read-only fashion first.
They do appear in long_description on au_prod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice one !
Hey @mkllnk , (I'm also not sure how to simulate such attacks - that's would be a very useful skill, in testing.) Merging! |
Unless there's a vulnerability in the text editor, I think the only way is to manually submit a value with a tool like Postman. You could use some of the html examples in the specs provided by this PR. |
ℹ️ Please use project Discover Regenerative (Macdoch pt 2): 3. Open Source Tech Evolution to track work on this issue.
What? Why?
We weren't sanitising the HTML of long enterprise descriptions at all. So here's a remedy that sanitises the field before it's reaching the database. All consumers, including API users should now get sanitised HTML.
There are more attributes like this listed in the issue. But I wanted to get this through faster and get a review first before I apply the same approach to the other three fields.
What should we test?
Release notes
Changelog Category (reviewers may add a label for the release notes):
The title of the pull request will be included in the release notes.
Dependencies
Documentation updates