Skip to content

A few fixes in convertToTspans #736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 12, 2016
Merged

A few fixes in convertToTspans #736

merged 3 commits into from
Jul 12, 2016

Conversation

etpinard
Copy link
Contributor

resolves #642

See d58d3be and f6a5c67

etpinard added 3 commits July 11, 2016 16:19
@etpinard
test: make convertToTspans suite more robust
f2f5d2c 
- check for white list of anchor attributes
- check for correct 'xlink:show' value
@etpinard
lib: handle '=' and '&' in anchor href
d58d3be 
- fixes #642
- strip only the leading '='
- replace & with '&' to make DOMParser happy
- wrap resulting href in ""
@etpinard
test: add tests for XSS attack in text href
f6a5c67
@etpinard etpinard added bug something broken status: reviewable labels Jul 11, 2016
etpinard
etpinard reviewed Jul 11, 2016
View reviewed changes
test/jasmine/tests/svg_text_utils_test.js
@@ -105,6 +105,21 @@ describe('svg+text utils', function() {
assertAnchorLink(node, 'mailto:[email protected]');
});

it('wrap XSS attacks in href', function() {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@scjody

The previous commit d58d3be also appears to have fix the XSS issue discovered in https://github.com/plotly/streambed/issues/7056 - would you mind reviewing this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Let me know when it's on prod and I'll play with it a bit to be extra sure.

@etpinard etpinard merged commit 12bed39 into master Jul 12, 2016
@etpinard etpinard deleted the convert-to-svg branch July 12, 2016 14:38
rreusser added a commit that referenced this pull request Jul 27, 2016
@rreusser
Cherry-pick #736
7ee7107
@rreusser rreusser mentioned this pull request Jul 27, 2016
Closed
rreusser added a commit that referenced this pull request Jul 27, 2016
@rreusser
Cherry pick #736 into v1.1.1
31c34ce
rreusser added a commit that referenced this pull request Jul 27, 2016
@rreusser
Cherry-pick #736 into a v1.1.1 maintenance release
63bcc3c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug something broken
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Link text with query params does not work
2 participants
@etpinard @scjody