21026: applied sanitization in 4 files Arvados-DCO-1.1-Signed-off-by: Lisa Knox ...

diff --git a/src/common/html-sanitize.ts b/src/common/html-sanitize.ts
index 2bb43d081a4820456183b87e227ee38f8a7129c8..93ebfaa2efee8fa3ff5dcbcb33b28fd8096ad4de 100644 (file)
--- a/src/common/html-sanitize.ts
+++ b/src/common/html-sanitize.ts
@@ -42,7 +42,7 @@ const domPurifyConfig: TDomPurifyConfig = {
         'sup',
         'ul',
     ],
-    ALLOWED_ATTR: ['src', 'width', 'height', 'href', 'alt', 'title'],
+    ALLOWED_ATTR: ['src', 'width', 'height', 'href', 'alt', 'title', 'style' ],
 };
 
 export const sanitizeHTML = (dirtyInput: string): string => DOMPurify.sanitize(dirtyInput, domPurifyConfig);

diff --git a/src/views-components/main-app-bar/main-app-bar.tsx b/src/views-components/main-app-bar/main-app-bar.tsx
index 60ce68e99dce95c147267033e443bd0626aa5ac7..c57d5cd85d51fb75e3a0e507c5ae4d692d75e264 100644 (file)
--- a/src/views-components/main-app-bar/main-app-bar.tsx
+++ b/src/views-components/main-app-bar/main-app-bar.tsx
@@ -15,6 +15,7 @@ import { HelpMenu } from 'views-components/main-app-bar/help-menu';
 import { ReactNode } from "react";
 import { AdminMenu } from "views-components/main-app-bar/admin-menu";
 import { pluginConfig } from 'plugins';
+import { sanitizeHTML } from "common/html-sanitize";
 
 type CssRules = 'toolbar' | 'link';
 
@@ -47,7 +48,7 @@ export const MainAppBar = withStyles(styles)(
                     {pluginConfig.appBarLeft || <Grid container item xs={3} direction="column" justify="center">
                         <Typography variant='h6' color="inherit" noWrap>
                             <Link to={Routes.ROOT} className={props.classes.link}>
-                                <span dangerouslySetInnerHTML={{ __html: props.siteBanner }} /> ({props.uuidPrefix})
+                                <span dangerouslySetInnerHTML={{ __html: sanitizeHTML(props.siteBanner) }} /> ({props.uuidPrefix})
                 </Link>
                         </Typography>
                         <Typography variant="caption" color="inherit">

diff --git a/src/views/inactive-panel/inactive-panel.tsx b/src/views/inactive-panel/inactive-panel.tsx
index 064add3a6d940499daf3e600b6a62e9a36df80fb..be765706975356d53535f4c011fb052569da1af3 100644 (file)
--- a/src/views/inactive-panel/inactive-panel.tsx
+++ b/src/views/inactive-panel/inactive-panel.tsx
@@ -10,6 +10,7 @@ import { StyleRulesCallback, WithStyles, withStyles } from '@material-ui/core/st
 import { ArvadosTheme } from 'common/custom-theme';
 import { navigateToLinkAccount } from 'store/navigation/navigation-action';
 import { RootState } from 'store/store';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 export type CssRules = 'root' | 'ontop' | 'title';
 
@@ -57,7 +58,7 @@ export const InactivePanelRoot = ({ classes, startLinking, inactivePageText, isL
         style={{ marginTop: 56, height: "100%" }}>
         <Grid item>
             <Typography>
-                <span dangerouslySetInnerHTML={{ __html: inactivePageText }} style={{ margin: "1em" }} />
+                <span dangerouslySetInnerHTML={{ __html: sanitizeHTML(inactivePageText) }} style={{ margin: "1em" }} />
             </Typography>
         </Grid>
         { !isLoginClusterFederation

diff --git a/src/views/login-panel/login-panel.tsx b/src/views/login-panel/login-panel.tsx
index 110097bee59dc7d09a9afbcdcf53f50516114755..f834b3b6dfcaf2346890fd9d38da848a20f60ad4 100644 (file)
--- a/src/views/login-panel/login-panel.tsx
+++ b/src/views/login-panel/login-panel.tsx
@@ -12,6 +12,7 @@ import { RootState } from 'store/store';
 import { LoginForm } from 'views-components/login-form/login-form';
 import Axios from 'axios';
 import { Config } from 'common/config';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 type CssRules = 'root' | 'container' | 'title' | 'content' | 'content__bolder' | 'button';
 
@@ -98,7 +99,7 @@ export const LoginPanel = withStyles(styles)(
             style={{ marginTop: 56, overflowY: "auto", height: "100%" }}>
             <Grid item className={classes.container}>
                 <Typography component="div">
-                    <div dangerouslySetInnerHTML={{ __html: welcomePage }} style={{ margin: "1em" }} />
+                    <div dangerouslySetInnerHTML={{ __html: sanitizeHTML(welcomePage) }} style={{ margin: "1em" }} />
                 </Typography>
                 {Object.keys(remoteHosts).length > 1 && loginCluster === "" &&
 

diff --git a/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx b/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
index 751ca5f190d1a7162d19a127e443f4f7287cb4f9..56c92805e24946a0499821fd31c7afb77dc48dce 100644 (file)
--- a/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
+++ b/src/views/virtual-machine-panel/virtual-machine-user-panel.tsx
@@ -18,6 +18,7 @@ import parse from "parse-duration";
 import { CopyIcon } from 'components/icon/icon';
 import CopyToClipboard from 'react-copy-to-clipboard';
 import { snackbarActions, SnackbarKind } from 'store/snackbar/snackbar-actions';
+import { sanitizeHTML } from 'common/html-sanitize';
 
 type CssRules = 'button' | 'codeSnippet' | 'link' | 'linkIcon' | 'rightAlign' | 'cardWithoutMachines' | 'icon' | 'chipsRoot' | 'copyIcon' | 'tableWrapper' | 'webshellButton';
 
@@ -269,7 +270,7 @@ const CardSSHSection = (props: VirtualMachineProps) =>
         <Card>
             <CardContent>
                 <Typography>
-                    <div dangerouslySetInnerHTML={{ __html: props.helpText }} style={{ margin: "1em" }} />
+                    <div dangerouslySetInnerHTML={{ __html: sanitizeHTML(props.helpText) }} style={{ margin: "1em" }} />
                 </Typography>
             </CardContent>
         </Card>