feat(GlSafeHtml): sanitize potentially dangerous data attributes (!2295) · Merge requests · GitLab.org / gitlab-ui

Dheeraj Joshi requested to merge djadmin-safe-html-data-attrs into main Jul 08, 2021

Implements (partially) #1421 (closed)

What does this MR do?

This MR updates default configuration for GlSafeHtmlDirective to be secure by default.

This is done to sanitize some of the (potentially dangerous) data-* attributes used by @rails/ujs. See #1421 (comment 617098438) for context. Thus, preventing security issues like XSS specific to frameworks.

Follow-up task:

In gitlab-org/gitlab, we added DOMPurify hooks to implement similar behavior, see gitlab!65301 (merged). So these hooks need to be removed after this release.

gitlab#335684 (closed)

Does this MR meet the acceptance criteria?

Conformity

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
Security reports checked/validated by a reviewer from the AppSec team

Edited Jul 09, 2021 by Dheeraj Joshi

feat(GlSafeHtml): sanitize potentially dangerous data attributes

What does this MR do?

Does this MR meet the acceptance criteria?

Conformity

Security

Merge request reports