Escape editor notification messages#148
Open
sol-hermes85 wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi maintainers, thanks again for the work on DeTTECT.
This fixes a small client-side security issue in the editor notification component. Notification messages were rendered with
v-html, so message text containing HTML could be interpreted by the browser. I checked the current notification call sites and did not find any notification messages that rely on HTML formatting, so this switches message rendering back to Vue's escaped text interpolation.Changes:
messagevalues as escaped textv-htmlout of notification messagesValidation:
python -m unittest tests.test_editor_notifications -vpython -m unittest discover -s tests -vpython -m compileall -q tests/test_editor_notifications.pygit diff --checkeditor/srcforv-html, no remaining matchesNote: I also tried to run the editor lint command, but dependency installation fails locally because
node-sass@6.0.1does not build on Node.js 22. I have kept this PR limited to the notification rendering fix.