Skip to content

Commit 306fed7

Browse files
oharstaoharsta
committed
Wrapped all dangerouslySetInnerHTML content with DOMPurify.sanitize()
1 parent f086a41 commit 306fed7

6 files changed

Lines changed: 29 additions & 24 deletions

File tree

client/src/pages/ApplicationDetail.jsx

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -221,11 +221,11 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
221221
return (
222222
<div className="connect-options-container">
223223
<h3>{I18n.t("applicationConnect.requestMember")}</h3>
224-
<p dangerouslySetInnerHTML={{
225-
__html: I18n.t("applicationConnect.memberRequestInfo.info",
226-
{orgName: currentOrganization.name})
227-
}}/>
228-
<p dangerouslySetInnerHTML={{__html: I18n.t("applicationConnect.memberRequestInfo.subInfo")}}/>
224+
<p dangerouslySetInnerHTML={{
225+
__html: DOMPurify.sanitize(I18n.t("applicationConnect.memberRequestInfo.info",
226+
{orgName: currentOrganization.name}))
227+
}}/>
228+
<p dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("applicationConnect.memberRequestInfo.subInfo"))}}/>
229229
<InputField multiline={true}
230230
displayLabel={false}
231231
value={message}
@@ -460,7 +460,7 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
460460
<div className="not-allowed-container">
461461
<NotAllowedIcon/>
462462
<p
463-
dangerouslySetInnerHTML={{__html: I18n.t("appAccess.noDecentralAccess")}}/>
463+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("appAccess.noDecentralAccess"))}}/>
464464
</div>
465465
</InfoBlock>
466466
</div>
@@ -609,7 +609,7 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
609609
: I18n.t("applicationDetail.noInformation")}
610610
</span>
611611
<span
612-
dangerouslySetInnerHTML={{__html: I18n.t("applicationDetail.wiki")}}/>
612+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("applicationDetail.wiki"))}}/>
613613
</p>
614614
<p>{I18n.t("applicationDetail.contractualInfoOrganization",
615615
{name: providerOrganizationName(I18n.locale, serviceProvider)})}</p>
@@ -632,7 +632,7 @@ const ApplicationDetail = ({anonymous, refreshUser}) => {
632632
<p className="info">{I18n.t('applicationDetail.interfedSource')}</p>
633633
<span
634634
dangerouslySetInnerHTML={{
635-
__html: I18n.t('applicationDetail.registrationInfo', {url: metaData["mdrpi:RegistrationInfo"]}),
635+
__html: DOMPurify.sanitize(I18n.t('applicationDetail.registrationInfo', {url: metaData["mdrpi:RegistrationInfo"]})),
636636
}}
637637
/>
638638
</div>

client/src/pages/Connect.jsx

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import I18n from "../locale/I18n.js";
55
import StudentPng from "../icons/student.png";
66
import {Button, ButtonType} from "@surfnet/sds";
77
import {useNavigate} from "react-router-dom";
8+
import DOMPurify from "dompurify";
89

910
const Connect = () => {
1011

@@ -50,17 +51,17 @@ const Connect = () => {
5051
<td>
5152
<p>{I18n.t("connect.commercial")}</p>
5253
</td>
53-
<td dangerouslySetInnerHTML={{__html: I18n.t("connect.fairUse")}}/>
54-
<td dangerouslySetInnerHTML={{__html: I18n.t("connect.accessTOS")}}/>
55-
<td dangerouslySetInnerHTML={{__html: I18n.t("connect.connectionAgreement")}}/>
54+
<td dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("connect.fairUse"))}}/>
55+
<td dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("connect.accessTOS"))}}/>
56+
<td dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("connect.connectionAgreement"))}}/>
5657
</tr>
5758
<tr>
5859
<td>
5960
<p>{I18n.t("connect.surfMember")}<sup>*</sup></p>
6061
</td>
6162
<td><span>{I18n.t("connect.notNeeded")}</span></td>
6263
<td><span>{I18n.t("connect.notNeeded")}</span></td>
63-
<td dangerouslySetInnerHTML={{__html: I18n.t("connect.memberAgreement")}}/>
64+
<td dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("connect.memberAgreement"))}}/>
6465
</tr>
6566
</tbody>
6667
</table>
@@ -75,7 +76,7 @@ const Connect = () => {
7576
<p>{I18n.t("connect.serviceInfo")}</p>
7677
<ul>
7778
{I18n.translations[I18n.locale].connect.serviceBullets
78-
.map((s,index) => <li key={index} dangerouslySetInnerHTML={{__html: s}}/>)}
79+
.map((s,index) => <li key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(s)}}/>)}
7980
</ul>
8081
</div>
8182
<div>

client/src/pages/Home.jsx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import {Background} from "../components/Background.jsx";
66
import {Link, useNavigate} from "react-router-dom";
77
import {Button, ButtonType} from "@surfnet/sds";
88
import {useAppStore} from "../stores/AppStore.js";
9+
import DOMPurify from "dompurify";
910

1011
export const Home = () => {
1112

@@ -29,7 +30,7 @@ export const Home = () => {
2930
{I18n.t("landing.header.title")}
3031
</h1>
3132
<p
32-
dangerouslySetInnerHTML={{__html: I18n.t("landing.header.subTitle")}}/>
33+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("landing.header.subTitle"))}}/>
3334
</div>
3435
<Logo/>
3536
</div>
@@ -41,7 +42,7 @@ export const Home = () => {
4142
</h3>
4243
{I18n.translations[I18n.locale].landing.applicationProviders.info
4344
.map((info, index) =>
44-
<p key={index} dangerouslySetInnerHTML={{__html: info}}/>
45+
<p key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(info)}}/>
4546
)}
4647
<Button onClick={() => navigate("/connect")}
4748
txt={I18n.t("landing.applicationProviders.connect")}/>
@@ -52,7 +53,7 @@ export const Home = () => {
5253
</h3>
5354
{I18n.translations[I18n.locale].landing.institutions.info
5455
.map((info, index) =>
55-
<p key={index} dangerouslySetInnerHTML={{__html: info}}/>
56+
<p key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(info)}}/>
5657
)}
5758
<Button onClick={() => contactUs()}
5859
type={ButtonType.Secondary}
@@ -64,7 +65,7 @@ export const Home = () => {
6465
</h3>
6566
{I18n.translations[I18n.locale].landing.joining.info
6667
.map((info, index) =>
67-
<p key={index} dangerouslySetInnerHTML={{__html: info}}/>
68+
<p key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(info)}}/>
6869
)}
6970
<p className="links">
7071
<span>{I18n.t("landing.joining.links.prefix")}</span>

client/src/pages/Landing.jsx

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import {newOrganization, searchOrganizations} from "../api/index.js";
88
import {useDebouncedCallback} from 'use-debounce';
99
import {isEmpty} from "../utils/Utils.js";
1010
import InputField from "../components/InputField.jsx";
11+
import DOMPurify from "dompurify";
1112
import SearchIcon from "@surfnet/sds/icons/functional-icons/search.svg";
1213
import ArrowRight from "@surfnet/sds/icons/functional-icons/arrow-right-2.svg";
1314
import ConfirmationDialog from "../components/ConfirmationDialog.jsx";
@@ -132,7 +133,7 @@ const Landing = ({refreshUser}) => {
132133
{isEmpty(organizations) && <p>{I18n.t("welcome.zeroState")}</p>}
133134
<section className="organization register"
134135
onClick={() => createOrganization()}>
135-
<p dangerouslySetInnerHTML={{__html: I18n.t("welcome.register", {name: search})}}/>
136+
<p dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("welcome.register", {name: search}))}}/>
136137
<ArrowRight/>
137138
</section>
138139
</>}

client/src/pages/LoginInfo.jsx

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import {Background} from "../components/Background.jsx";
66
import {Button, ButtonType} from "@surfnet/sds";
77
import {useAppStore} from "../stores/AppStore.js";
88
import {login} from "../utils/Login.js";
9+
import DOMPurify from "dompurify";
910

1011
export const LoginInfo = () => {
1112

@@ -19,7 +20,7 @@ export const LoginInfo = () => {
1920
{I18n.t("landing.loginInfo.title")}
2021
</h1>
2122
<p
22-
dangerouslySetInnerHTML={{__html: I18n.t("landing.loginInfo.subTitle")}}/>
23+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t("landing.loginInfo.subTitle"))}}/>
2324
</div>
2425
<Logo/>
2526
</div>
@@ -31,7 +32,7 @@ export const LoginInfo = () => {
3132
</h3>
3233
{I18n.translations[I18n.locale].landing.loginInfo.commercial.info
3334
.map((info, index) =>
34-
<p key={index} dangerouslySetInnerHTML={{__html: info}}/>
35+
<p key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(info)}}/>
3536
)}
3637
<Button onClick={() => login(config, true, true)}
3738
type={ButtonType.Secondary}
@@ -43,7 +44,7 @@ export const LoginInfo = () => {
4344
</h3>
4445
{I18n.translations[I18n.locale].landing.loginInfo.education.info
4546
.map((info, index) =>
46-
<p key={index} dangerouslySetInnerHTML={{__html: info}}/>
47+
<p key={index} dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(info)}}/>
4748
)}
4849
<Button onClick={() => login(config, true, false)}
4950
type={ButtonType.Secondary}

client/src/pages/Organization.jsx

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import Divider from "../icons/divider.svg";
1212
import ArrowRight from "@surfnet/sds/icons/functional-icons/arrow-right-2.svg";
1313
import CardView from "@surfnet/sds/icons/functional-icons/card-view.svg";
1414
import ListView from "@surfnet/sds/icons/functional-icons/list-or-table-view.svg";
15+
import DOMPurify from "dompurify";
1516
import {convertServerApplicationToClient} from "../utils/Application.js";
1617
import {CONNECTION_STATUSES, ENVIRONMENTS} from "../utils/Manage.js";
1718
import {
@@ -234,13 +235,13 @@ const Organization = () => {
234235
<p className="terms">{I18n.t("organization.catalog.terms")}</p>
235236
<ul>
236237
<li><p
237-
dangerouslySetInnerHTML={{__html: I18n.t(`organization.catalog.fairUse${isExternal ? "External" : ""}`)}}/>
238+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t(`organization.catalog.fairUse${isExternal ? "External" : ""}`))}}/>
238239
</li>
239240
<li><p
240-
dangerouslySetInnerHTML={{__html: I18n.t(`organization.catalog.agreement${isExternal ? "External" : ""}`)}}/>
241+
dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t(`organization.catalog.agreement${isExternal ? "External" : ""}`))}}/>
241242
</li>
242243
</ul>
243-
<p dangerouslySetInnerHTML={{__html: I18n.t(`organization.catalog.disclaimer${isExternal ? "External" : ""}`)}}/>
244+
<p dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(I18n.t(`organization.catalog.disclaimer${isExternal ? "External" : ""}`))}}/>
244245
</div>
245246
</div>}
246247
{!isEmpty(organization.applications) &&

0 commit comments

Comments
 (0)