DOMPurify: Disallow form tag by default (!102973) · Merge requests · GitLab.org / GitLab

Dheeraj Joshi requested to merge djadmin-forbid-form-tag into master Nov 04, 2022

Implements https://gitlab.com/gitlab-org/gitlab/-/issues/370314.

What does this MR do and why?

This MR forbids the <form> ~~and <input>~~ in DOMPurify & v-safe-html. This is being done to prevent possible injection attacks. To learn more about the security part of it, see related issue.

~~This change is feature flag controlled with a new flag dompurify_advance_filter.~~

Note: The input tags will be forbidden with #383333.

Screenshots or screen recordings

No visual changes for users.

How to set up and validate locally

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 22, 2022 by Dheeraj Joshi

DOMPurify: Disallow form tag by default

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports