Skip to content
Snippets Groups Projects

DOMPurify: Disallow form tag by default

Merged Dheeraj Joshi requested to merge djadmin-forbid-form-tag into master

Implements https://gitlab.com/gitlab-org/gitlab/-/issues/370314.

What does this MR do and why?

This MR forbids the <form> and <input> in DOMPurify & v-safe-html. This is being done to prevent possible injection attacks. To learn more about the security part of it, see related issue.

This change is feature flag controlled with a new flag dompurify_advance_filter.

Note: The input tags will be forbidden with #383333.

Screenshots or screen recordings

No visual changes for users.

How to set up and validate locally

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dheeraj Joshi

Merge request reports

Merged results pipeline #703500103 passed with warnings

Pipeline: GitLab

#703500271

    Pipeline: GitLab

    #703500273

      Pipeline: GitLab

      #703500282

        +10

        Merged results pipeline passed with warnings for 39147fa5

        Test coverage 85.08% (13.02%) from 2 jobs

        Merged by Andrew FontaineAndrew Fontaine 2 years ago (Nov 23, 2022 6:27pm UTC)

        Loading

        Pipeline #703559191 passed

        Pipeline passed for 355034df on master

        Test coverage 72.09% (13.02%) from 2 jobs
        10 environments impacted.

        Activity

        Filter activity
        • Approvals
        • Assignees & reviewers
        • Comments (from bots)
        • Comments (from users)
        • Commits & branches
        • Edits
        • Labels
        • Lock status
        • Mentions
        • Merge request status
        • Tracking
        Please register or sign in to reply
        Loading