Skip to content

Commit 182df11

Browse files
wichniowskiwichniowski
committed
fix(tooltip): sanitize HTML to prevent XSS
1 parent ce365fe commit 182df11

File tree

3 files changed

+64
-6
lines changed

3 files changed

+64
-6
lines changed

package.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,8 @@
5454
},
5555
"dependencies": {
5656
"classnames": "^2.2.5",
57-
"prop-types": "^15.6.0"
57+
"prop-types": "^15.6.0",
58+
"sanitize-html": "^1.18.5"
5859
},
5960
"engines": {
6061
"node": ">=4.2.1"

src/index.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import React from 'react'
44
import PropTypes from 'prop-types'
55
import ReactDOM from 'react-dom'
66
import classname from 'classnames'
7+
import sanitizeHtml from 'sanitize-html'
78

89
/* Decoraters */
910
import staticMethods from './decorators/staticMethods'
@@ -540,7 +541,7 @@ class ReactTooltip extends React.Component {
540541
ref={ref => this.tooltipRef = ref}
541542
{...ariaProps}
542543
data-id='tooltip'
543-
dangerouslySetInnerHTML={{__html: placeholder}}/>
544+
dangerouslySetInnerHTML={{__html: sanitizeHtml(placeholder)}}/>
544545
)
545546
} else {
546547
return (

yarn.lock

+60-4
Original file line numberDiff line numberDiff line change
@@ -318,7 +318,7 @@ array-union@^1.0.1:
318318
dependencies:
319319
array-uniq "^1.0.1"
320320

321-
array-uniq@^1.0.1:
321+
array-uniq@^1.0.1, array-uniq@^1.0.2:
322322
version "1.0.3"
323323
resolved "https://registry.yarnpkg.com/array-uniq/-/array-uniq-1.0.3.tgz#af6ac877a25cc7f74e058894753858dfdb24fdb6"
324324

@@ -1797,7 +1797,7 @@ [email protected], chalk@^1.0.0, chalk@^1.1.0, chalk@^1.1.1, chalk@^1.1.3:
17971797
strip-ansi "^3.0.0"
17981798
supports-color "^2.0.0"
17991799

1800-
chalk@^2.3.0:
1800+
chalk@^2.3.0, chalk@^2.4.1:
18011801
version "2.4.1"
18021802
resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.1.tgz#18c49ab16a037b6eb0152cc83e3471338215b66e"
18031803
dependencies:
@@ -4053,7 +4053,7 @@ htmlescape@^1.1.0:
40534053
version "1.1.1"
40544054
resolved "https://registry.yarnpkg.com/htmlescape/-/htmlescape-1.1.1.tgz#3a03edc2214bca3b66424a3e7959349509cb0351"
40554055

4056-
htmlparser2@^3.9.1:
4056+
htmlparser2@^3.9.0, htmlparser2@^3.9.1:
40574057
version "3.9.2"
40584058
resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-3.9.2.tgz#1bdf87acca0f3f9e53fa4fcceb0f4b4cbb00b338"
40594059
dependencies:
@@ -4987,14 +4987,18 @@ lodash.clonedeep@^3.0.1:
49874987
lodash._baseclone "^3.0.0"
49884988
lodash._bindcallback "^3.0.0"
49894989

4990-
lodash.clonedeep@^4.3.2:
4990+
lodash.clonedeep@^4.3.2, lodash.clonedeep@^4.5.0:
49914991
version "4.5.0"
49924992
resolved "https://registry.yarnpkg.com/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz#e23f3f9c4f8fbdde872529c1071857a086e5ccef"
49934993

49944994
lodash.defaults@^4.0.1:
49954995
version "4.2.0"
49964996
resolved "https://registry.yarnpkg.com/lodash.defaults/-/lodash.defaults-4.2.0.tgz#d09178716ffea4dde9e5fb7b37f6f0802274580c"
49974997

4998+
lodash.escaperegexp@^4.1.2:
4999+
version "4.1.2"
5000+
resolved "https://registry.yarnpkg.com/lodash.escaperegexp/-/lodash.escaperegexp-4.1.2.tgz#64762c48618082518ac3df4ccf5d5886dae20347"
5001+
49985002
lodash.filter@^4.4.0:
49995003
version "4.6.0"
50005004
resolved "https://registry.yarnpkg.com/lodash.filter/-/lodash.filter-4.6.0.tgz#668b1d4981603ae1cc5a6fa760143e480b4c4ace"
@@ -5023,6 +5027,14 @@ lodash.isplainobject@^3.0.0:
50235027
lodash.isarguments "^3.0.0"
50245028
lodash.keysin "^3.0.0"
50255029

5030+
lodash.isplainobject@^4.0.6:
5031+
version "4.0.6"
5032+
resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb"
5033+
5034+
lodash.isstring@^4.0.1:
5035+
version "4.0.1"
5036+
resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
5037+
50265038
lodash.istypedarray@^3.0.0:
50275039
version "3.0.6"
50285040
resolved "https://registry.yarnpkg.com/lodash.istypedarray/-/lodash.istypedarray-3.0.6.tgz#c9a477498607501d8e8494d283b87c39281cef62"
@@ -5070,6 +5082,10 @@ lodash.merge@^4.4.0:
50705082
version "4.6.0"
50715083
resolved "https://registry.yarnpkg.com/lodash.merge/-/lodash.merge-4.6.0.tgz#69884ba144ac33fe699737a6086deffadd0f89c5"
50725084

5085+
lodash.mergewith@^4.6.0:
5086+
version "4.6.1"
5087+
resolved "https://registry.yarnpkg.com/lodash.mergewith/-/lodash.mergewith-4.6.1.tgz#639057e726c3afbdb3e7d42741caa8d6e4335927"
5088+
50735089
lodash.omit@^3.1.0:
50745090
version "3.1.0"
50755091
resolved "https://registry.yarnpkg.com/lodash.omit/-/lodash.omit-3.1.0.tgz#897fe382e6413d9ac97c61f78ed1e057a00af9f3"
@@ -6146,6 +6162,14 @@ posix-character-classes@^0.1.0:
61466162
version "0.1.1"
61476163
resolved "https://registry.yarnpkg.com/posix-character-classes/-/posix-character-classes-0.1.1.tgz#01eac0fe3b5af71a2a6c02feabb8c1fef7e00eab"
61486164

6165+
postcss@^6.0.14:
6166+
version "6.0.23"
6167+
resolved "https://registry.yarnpkg.com/postcss/-/postcss-6.0.23.tgz#61c82cc328ac60e677645f979054eb98bc0e3324"
6168+
dependencies:
6169+
chalk "^2.4.1"
6170+
source-map "^0.6.1"
6171+
supports-color "^5.4.0"
6172+
61496173
prelude-ls@~1.1.0, prelude-ls@~1.1.1, prelude-ls@~1.1.2:
61506174
version "1.1.2"
61516175
resolved "https://registry.yarnpkg.com/prelude-ls/-/prelude-ls-1.1.2.tgz#21932a549f5e52ffd9a827f570e04be62a97da54"
@@ -6876,6 +6900,21 @@ samsam@~1.1:
68766900
version "1.1.3"
68776901
resolved "https://registry.yarnpkg.com/samsam/-/samsam-1.1.3.tgz#9f5087419b4d091f232571e7fa52e90b0f552621"
68786902

6903+
sanitize-html@^1.18.5:
6904+
version "1.18.5"
6905+
resolved "https://registry.yarnpkg.com/sanitize-html/-/sanitize-html-1.18.5.tgz#350013d95d17f851ef8b178dfd9ca155acf2d7a0"
6906+
dependencies:
6907+
chalk "^2.3.0"
6908+
htmlparser2 "^3.9.0"
6909+
lodash.clonedeep "^4.5.0"
6910+
lodash.escaperegexp "^4.1.2"
6911+
lodash.isplainobject "^4.0.6"
6912+
lodash.isstring "^4.0.1"
6913+
lodash.mergewith "^4.6.0"
6914+
postcss "^6.0.14"
6915+
srcset "^1.0.0"
6916+
xtend "^4.0.0"
6917+
68796918
sass-graph@^2.1.1:
68806919
version "2.2.4"
68816920
resolved "https://registry.yarnpkg.com/sass-graph/-/sass-graph-2.2.4.tgz#13fbd63cd1caf0908b9fd93476ad43a51d1e0b49"
@@ -7162,6 +7201,10 @@ source-map@^0.5.0, source-map@^0.5.6, source-map@~0.5.0, source-map@~0.5.1, sour
71627201
version "0.5.7"
71637202
resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.5.7.tgz#8a039d2d1021d22d1ea14c80d8ea468ba2ef3fcc"
71647203

7204+
source-map@^0.6.1:
7205+
version "0.6.1"
7206+
resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.6.1.tgz#74722af32e9614e9c287a8d0bbde48b5e2f1a263"
7207+
71657208
source-map@~0.1.30:
71667209
version "0.1.43"
71677210
resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.1.43.tgz#c24bc146ca517c1471f5dacbe2571b2b7f9e3346"
@@ -7221,6 +7264,13 @@ sprintf-js@~1.0.2:
72217264
version "1.0.3"
72227265
resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
72237266

7267+
srcset@^1.0.0:
7268+
version "1.0.0"
7269+
resolved "https://registry.yarnpkg.com/srcset/-/srcset-1.0.0.tgz#a5669de12b42f3b1d5e83ed03c71046fc48f41ef"
7270+
dependencies:
7271+
array-uniq "^1.0.2"
7272+
number-is-nan "^1.0.0"
7273+
72247274
sshpk@^1.7.0:
72257275
version "1.13.1"
72267276
resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.13.1.tgz#512df6da6287144316dc4c18fe1cf1d940739be3"
@@ -7470,6 +7520,12 @@ supports-color@^2.0.0:
74707520
version "2.0.0"
74717521
resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-2.0.0.tgz#535d045ce6b6363fa40117084629995e9df324c7"
74727522

7523+
supports-color@^5.4.0:
7524+
version "5.5.0"
7525+
resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-5.5.0.tgz#e2e69a44ac8772f78a1ec0b35b689df6530efc8f"
7526+
dependencies:
7527+
has-flag "^3.0.0"
7528+
74737529
symbol-tree@^3.2.1:
74747530
version "3.2.2"
74757531
resolved "https://registry.yarnpkg.com/symbol-tree/-/symbol-tree-3.2.2.tgz#ae27db38f660a7ae2e1c3b7d1bc290819b8519e6"

0 commit comments

Comments
 (0)