discourse-placeholder-theme-component

History

David Taylor 948634fe31 SECURITY: Apply transformations to text nodes only Previously, the replacement system would modify raw HTML, which is prone to issues and vulnerabilities. With this commit, we iterate over text nodes only, and do simple string replacements on their content. That means that the user input never gets passed into an HTML parser, and there is no chance of injection attacks. The re-rendering system is also simplified to store the original value for re-use later, instead of mapping position/length of replacements. This does mean the behavior is changed slightly. Replacements will no longer be applied to html attributes (e.g `a[href]`). If this affects your use-case, please let us know [on Meta](https://meta.discourse.org/t/113533). This is a followup to the fix in `a62f711d56`	2024-08-29 10:15:53 +01:00
..
components/modal	DEV: Update linting (#28 )	2024-03-27 18:55:28 +01:00
initializers	SECURITY: Apply transformations to text nodes only	2024-08-29 10:15:53 +01:00

SECURITY: Apply transformations to text nodes only

Previously, the replacement system would modify raw HTML, which is prone to issues and vulnerabilities. With this commit, we iterate over text nodes only, and do simple string replacements on their content. That means that the user input never gets passed into an HTML parser, and there is no chance of injection attacks.

The re-rendering system is also simplified to store the original value for re-use later, instead of mapping position/length of replacements.

This does mean the behavior is changed slightly. Replacements will no longer be applied to html attributes (e.g `a[href]`). If this affects your use-case, please let us know [on Meta](https://meta.discourse.org/t/113533).

This is a followup to the fix in a62f711d56

2024-08-29 10:15:53 +01:00

components/modal DEV: Update linting (#28 ) 2024-03-27 18:55:28 +01:00

initializers SECURITY: Apply transformations to text nodes only 2024-08-29 10:15:53 +01:00