Fix for displaying string tags in summary pages

[jeffibm]

Edit the description to something like this-

Then go to summary page to check this-

Before

After

Snapshots were also updated

[jrafanie]

My only concern is what version of dompurify we're using and ensuring we're up to date. I have 2.4.5 in my yarn.lock locally. As of today, the latest is 3.0.6 and 2.4.7 according to https://github.com/cure53/DOMPurify/tags. @jeffibm is that ok?

[Fryguy]

We should not be allowing arbitrary strings to set this stuff, particularly if they come from outside of our application. It should only be in specific select things we want to allow it in. I'm a big 👎 on this at the moment.

Additionally, have you checked whether iframes can be rendered? If so, that component is out too IMO.

[Fryguy]

This change feels very dangerous as it opens it up to everything possibly in the structure list right hand side. I barely like this feature at all, but where we want to use it I want us to be very selective about it.

[jeffibm]

We should not be allowing arbitrary strings to set this stuff, particularly if they come from outside of our application. It should only be in specific select things we want to allow it in. I'm a big 👎 on this at the moment.

Additionally, have you checked whether iframes can be rendered? If so, that component is out too IMO.

Checked with iframes in description
<p><iframe src="https://www.manageiq.org"></iframe></p>

and it did not render in UI

[jeffibm]

This change feels very dangerous as it opens it up to everything possibly in the structure list right hand side. I barely like this feature at all, but where we want to use it I want us to be very selective about it.

are you suggesting that we use them on selected pages?

For eg, use this fix when

1. service catalog summary pages are loaded
2. (other pages if needed)

[Fryguy]

are you suggesting that we use them on selected pages?

Yes, I think we need to be very specific about which fields use this down to very specific fields. By extension, we should not code this generically in things like MiqStructuredList.

I'm not sure what other fields we want this in. Service description field is acceptable. I'd like to know which other fields we think are also acceptable.

[miq-bot]

Checked commit jeffbonson@0353a97 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 🏆

[jeffibm]

are you suggesting that we use them on selected pages?

Yes, I think we need to be very specific about which fields use this down to very specific fields. By extension, we should not code this generically in things like MiqStructuredList.

I'm not sure what other fields we want this in. Service description field is acceptable. I'd like to know which other fields we think are also acceptable.

The values we get to the react components are in string format.

In this case,

{
label: "Name / Description",
text: "003-service-catalog / <p><iframe src="https://www.manageiq.org"></iframe></p>"
}

If we want to restrict the usage of DOMPurify based on the field (or label), then it might be a problem when they are translated.

I tried another option. We are passing a unique mode to every component and we can make use of the mode to restrict the usage of DOMPurify for the entire component's right side.

In this case, all values of the Catalogs / Basic Information (right-hand side) will be affected.

I had pushed these changes.

[Fryguy]

Let's discuss further. An idea was raised to perhaps allow markdown content, and I really like that idea, so perhaps we can explore that.

[jeffibm]

I guess we can close this PR as the suggested fix has been attempted in another PR - #8972

[jeffibm]

Closing this PR since the changes are handled in a different PR - #8972