Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vsx-registry: sanitize readme #9424

Merged
merged 1 commit into from
May 10, 2021
Merged

vsx-registry: sanitize readme #9424

merged 1 commit into from
May 10, 2021

Conversation

vince-fugnitto
Copy link
Member

@vince-fugnitto vince-fugnitto commented May 3, 2021
edited
Loading

What it does

The following pull-request sanitizes the rendered readme of extensions for security purposes. The sanitization is similar to other
areas of the code which make use of dangerouslySetInnerHTML.

How to test

  1. start the application
  2. open the extensions-view (F1 > Toggle Extensions View)
  3. verify the readme of the following (when double-clicking their entries in the tree):
    3.1 builtin extensions
    3.2 installed extensions
    3.3 extension search results

Review checklist

Reminder for reviewers

Signed-off-by: vince-fugnitto vincent.fugnitto@ericsson.com

@vince-fugnitto vince-fugnitto added security issues related to security vsx-registry Issues related to Open VSX Registry Integration labels May 3, 2021
@colin-grant-work colin-grant-work self-requested a review May 6, 2021 15:39
colin-grant-work
colin-grant-work approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@colin-grant-work colin-grant-work left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I confirmed that readmes for search results, installed plugins, and builtins all render (I did not previously know how boring and uniform the readmes for the builtins were :-)), and it's good to add a bit of security to it.

packages/vsx-registry/src/browser/vsx-extension.tsx Outdated Show resolved Hide resolved
@vince-fugnitto
vsx-registry: sanitize readme
f60614c 
The following pull-request sanitizes the rendered `readme` of
extensions for security purposes. The sanitization is similar to other
areas of the code which make use of `dangerouslySetInnerHTML`.

Signed-off-by: vince-fugnitto <vincent.fugnitto@ericsson.com>
@vince-fugnitto
Copy link
Member Author

I'll merge on monday if there are no other comments.

@vince-fugnitto vince-fugnitto merged commit 2560b65 into master May 10, 2021
@vince-fugnitto vince-fugnitto deleted the vf/vsx-sanitize branch May 10, 2021 12:21
@github-actions github-actions bot added this to the 1.14.0 milestone May 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colin-grant-work colin-grant-work colin-grant-work approved these changes

@paul-marechal paul-marechal Awaiting requested review from paul-marechal

@marcdumais-work marcdumais-work Awaiting requested review from marcdumais-work

Assignees
No one assigned
Labels
security issues related to security vsx-registry Issues related to Open VSX Registry Integration
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vince-fugnitto @colin-grant-work