View Alerts: Sanitize and mark safe #11594
Conversation
DryRun Security SummaryThe pull request involves modifying the alert display in a Dojo application by introducing a custom Markdown rendering template tag, which raises potential security concerns around XSS vulnerabilities, input sanitization, and CSRF protection that require careful review. Expand for full summarySummary: The code changes in this pull request are related to the display of alert information in the Dojo application. The key changes include the addition of a custom template tag library for rendering content and the modification of the alert description rendering to use a custom The primary security considerations are the proper sanitization of the Markdown rendering to prevent Cross-Site Scripting (XSS) vulnerabilities, the secure handling of all user-supplied input to prevent injection attacks, the proper implementation and verification of the CSRF protection, and the review of the "Select all" checkbox functionality to ensure it does not introduce any security issues. As an application security engineer, it is crucial to thoroughly review these changes and ensure the overall security of the application is maintained. Files Changed:
Code AnalysisWe ran |
Alerts are being HTML escaped in places where they should not be. Rather on relying on the default HTML escaping, we should use the markdown bleaching templatetag to allow for more options in object titles. Here is a before and after of an innocuous alert vs a dangerous one (no xss triggered here).
Before:
After:
[sc-9944]