feat(GlSafeHtml): sanitize potentially dangerous data attributes
Implements (partially) #1421 (closed)
What does this MR do?
This MR updates default configuration for GlSafeHtmlDirective
to be secure by default.
This is done to sanitize some of the (potentially dangerous) data-*
attributes used by @rails/ujs
. See #1421 (comment 617098438) for context. Thus, preventing security issues like XSS specific to frameworks.
Follow-up task:
In gitlab-org/gitlab
, we added DOMPurify
hooks to implement similar behavior, see gitlab!65301 (merged). So these hooks need to be removed after this release.
Does this MR meet the acceptance criteria?
Conformity
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
Security reports checked/validated by a reviewer from the AppSec team
Edited by Dheeraj Joshi