Replace underscore `_.escape` for DomPurify
What does this MR do?
Replaces all of our underscore's _.escape uses to dompurify.sanitize, more info about DOMPurify, here: https://github.com/cure53/DOMPurify
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
Why?
A couple of motivations behind this MR are the following:
- We need a library that is tailored for security, nothing against underscore it has served us well, but the threats out there are vast and varied.
- By removing all of the uses of
_.escapewe can begin evaluating a replacement for underscore should we want to.
Caveats
While DOMPurify has a lot of goodies under the hood, the possible caveats are the following:
- The library uses two licenses in the format of A or B, one of them is the Apache License, Version 2.0 and the other one is the Mozilla Public License, version 2.0. The former is already in our acceptable licenses section of the handbook. The other one I'm checking with legal if it's possible to have it included. It looks compatible but I'm no lawyer.
- DOMPurify logic states that there's a whitelist and a blacklist of things that will get sanitized, and some tests will look weird, due to the fact that something like
<script>alert('hello')</script>will get converted to ''.
Edited by Jose Ivan Vargas