Mitigate risk of using dangerouslySetInnerHTML
#1612
Conversation
🦋 Changeset detectedLatest commit: ee76a6f The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
| import { TextDecoder, TextEncoder } from 'util'; | ||
|
|
||
| global.TextEncoder = TextEncoder; | ||
| global.TextDecoder = TextDecoder; |
There was a problem hiding this comment.
This is necessary in order to use isomorphic dompurify: kkomelin/isomorphic-dompurify#91 (comment)
There was a problem hiding this comment.
please put this comment in the actual jest.setup file
| @@ -64,9 +64,11 @@ | |||
| "@radix-ui/react-dropdown-menu": "0.1.6", | |||
| "@radix-ui/react-slider": "0.1.4", | |||
| "@radix-ui/react-tabs": "0.1.5", | |||
| "@types/dompurify": "2.3.3", | |||
There was a problem hiding this comment.
This import fixed the following rollup error: rollup/rollup-plugin-commonjs#361
There was a problem hiding this comment.
This should be in devDependencies since it's not a runtime dependency, just a build-time dependency.
| "@xstate/react": "1.6.3", | ||
| "classnames": "2.3.1", | ||
| "deepmerge": "4.2.2", | ||
| "isomorphic-dompurify": "0.18.0", |
There was a problem hiding this comment.
Importing the isomorphic version of dompurify in order to get the e2e and docs tests to pass. Isomorphic dompurify is basically a wrapper around dompurify that allows it to run on the server side as well as the client.
There was a problem hiding this comment.
I'm nervous about depending on this package which hasn't been battle tested as much as the original. I'd prefer that we create our own universal isomorphic wrapper around DOMPurify.
|
Closing this PR because we've found a better solution: #1622 |
|
Out for JD
|
|
Taking an extended weekend ?
POC for JS Issues
Ashish Nanda : ***@***.******@***.***>
POC for UI Issues
Milan Shah : ***@***.******@***.***>
|
Description of changes
Potential Security Risk
Within the React package of the Amplify UI codebase, we are using React’s
dangerouslySetInnerHTMLto insert CSS into a<style>tag and then inject it into the DOM:We are doing this because we need to dynamically insert CSS into the page.
The reason this is potential security risk is because a developer could dynamically set a theme based on user input. This could allow an attacker to execute malicious code on the webpage since React’s
dangerouslySetInnerHTMLdoes not sanitize the HTML.However, as mentioned in the internal T Corp ticket: “the risk of an unknown attacker being able to exploit this condition would be highly unlikely because the React DOM escapes everything in JSX before rendering, making XSS almost impossible. The CSS that's being set is in control of the Amplify UI team.”
Additionally, the internal
createThemefunction escapes all input to strings and does not execute any of the passed-in code.Solution
To mitigate this risk, we are using the DOMPurify to sanitize the HTML and prevent XSS attacks. DOMPurify is the library that OWASP recommends. Specifically, we are using isomorphic-dompurify in order to get the e2e and docs tests to pass (by rendering on both the client and server side).
Tradeoffs to using DOMPurify
*** Note: I am still writing tests to confirm that the sanitization works as expected.
Issue #, if available
Description of how you validated changes
Checklist
yarn testpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.