feat(SafeHtml): Extend filters for additional defense
Related issue - https://gitlab.com/gitlab-org/gitlab/-/issues/369210
What does this MR do?
This MR improves the protection against XSS vulnerabilities by filtering out all potentially dangerous data-*
attributes. This is an improvement to #1421 (closed).
- It now includes more
data-*
attributes supported by rails-ujs - https://github.com/rails/rails/blob/8de181dac638457564677e02c71a9d04fd3e7fde/actionview/app/assets/javascripts/rails-ujs.coffee - Similar change shall be rolled out to gitlab-org/gitlab - gitlab!92962 (closed)
Does this MR meet the acceptance criteria?
Conformity
-
Code review guidelines. -
GitLab UI's contributing guidlines. -
If it changes a Pajamas-compliant component's look & feel, the MR has been reviewed by a UX designer. -
If it changes GitLab UI's documentation guidelines, the MR has been reviewed by a Technical Writer. -
If the MR changes a component's API, integration MR(s) have been opened in the following projects to ensure that the @gitlab/ui
package can be upgraded quickly after the changes are released:-
GitLab: mr_url -
CustomersDot: mr_url -
Status Page: mr_url
-
-
Added the ~"component:*"
label(s) if applicable.
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
Security reports checked/validated by a reviewer from the AppSec team
Accessibility
If this MR adds or modifies a component, take a few moments to review the following:
-
All actions and functionality can be done with a keyboard. -
Links, buttons, and controls have a visible focus state. -
All content is presented in text or with a text equivalent. For example, alt text for SVG, or aria-label
for icons that have meaning or perform actions. -
Changes in a component’s state are announced by a screen reader. For example, changing aria-expanded="false"
toaria-expanded="true"
when an accordion is expanded. -
Color combinations have sufficient contrast.
Edited by Dheeraj Joshi