feat(checkboxes): Added checkbox support for Markdown. #141
Conversation
| content: string = `There is some text in here. | ||
| And some checkboxes:<ul> | ||
| <li><input type="checkbox" data-checkbox-index="0"></input>An Item.</li> | ||
| <li><input type="checkbox" checked="" data-checkbox-index="1"></input>Checked Item.</li> |
There was a problem hiding this comment.
@michaelkleinhenz what should checked="false" do ?
Checked Item.
There was a problem hiding this comment.
Leftover. I'll remove that. :-)
| case 'url': return this.sanitizer.bypassSecurityTrustUrl(value); | ||
| case 'resourceUrl': return this.sanitizer.bypassSecurityTrustResourceUrl(value); | ||
| default: throw new Error(`Invalid safe type specified: ${type}`); | ||
| } |
There was a problem hiding this comment.
Could be wrong, but this object appears to disable/bypass Angular's built-in sanitation? If so, bypassing JavaScript sanitation isn't a good idea.
I'm concerned we're converting user input into a trusted value and introducing a security vulnerability by trusting values that could be malicious?
See: https://angular.io/guide/security#bypass-security-apis
"But be careful. If you trust a value that might be malicious, you are introducing a security vulnerability into your application. If in doubt, find a professional security reviewer."
There was a problem hiding this comment.
See comment below. Note: JS sanitizing is still enabled.
|
@michaelkleinhenz does your new PR address the issue that @dlabrecq raised? |
|
@joshuawilson @dlabrecq yes and no. The wrapping in SafeValue is now happening outside of ngx-widgets in the enclosing component (namely the Planner detail view). ngx-widgets now only just supports incoming SafeValue content. All sanitizer handling has been removed from ngx-widgets. Although the problem still persists, because we still need to use SafeValue in Planner to wrap the rendered markdown. The Angular sanitizer can not be configured on a fine granular (element) basis (like the golang sanitizer can). So we either need to disable HTML sanitizing entirely for that value or we can not support any feature that needs input elements in the HTML. Note that the HTML sanitizing can be individually turned off, JavaScript and URLs are still stripped from the HTML. Although this is still not ideal, the impact there is low. We're only turning off HTML sanitizing, other active components are still stripped. The HTML comes from a trusted source and is not directly user-editable but is always generated from Markdown. Also, the generated HTML is sanitized on the server side as well in a much more restricted way (only allowing input elements in addition to the standard set of allowed elements). |
|
I confirmed the github-link-area component is still bypassing HTML, while the markdown example is bypassing HTML, styles, JavaScript, URLs, etc. Is the intention to simply move the bypass code (in the example) to Planner (i.e., sanitized server-side)? |
|
@dlabrecq are you ok with these updates? |
|
Yes. As long as the JavaScript and URLs are still stripped from the HTML, I'm fine with the markup being sanitized server-side. |
Adds checkbox support for Markdown.