Merge pull request #1392 from nickgros/SWC-7113a

Sage-Bionetworks · Nov 19, 2024 · 68722a5 · 68722a5
2 parents 05b0180 + e4c5c82
commit 68722a5
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/packages/synapse-react-client/src/utils/functions/SanitizeHtmlUtils.test.ts b/packages/synapse-react-client/src/utils/functions/SanitizeHtmlUtils.test.ts
@@ -24,7 +24,7 @@ describe('HTML Santization', () => {
   })
   test('Prevents XSS through href', () => {
     const script = 'javascript:alert(1)'
-    const sanitized = xss(`<a href="${script}">foo</span>`, xssOptions)
+    const sanitized = xss(`<a href="${script}">foo</a>`, xssOptions)
     const html = createHTML(sanitized)
     const anchor = html.querySelector('a')!
     expect(anchor).not.toBeNull()
@@ -33,12 +33,22 @@ describe('HTML Santization', () => {
   })
   test('Allows valid link href', () => {
     const validHref = 'https://synapse.org'
-    const sanitized = xss(`<a href="${validHref}">foo</span>`, xssOptions)
+    const sanitized = xss(`<a href="${validHref}">foo</a>`, xssOptions)
     const html = createHTML(sanitized)
     const anchor = html.querySelector('a')!
     expect(anchor).not.toBeNull()
     expect(anchor.getAttribute('href')).toEqual(validHref)
   })
+  test('Allows link rel property', () => {
+    const href = 'https://synapse.org'
+    const rel = 'noopener noreferrer'
+    const sanitized = xss(`<a href="${href}" rel="${rel}">foo</a>`, xssOptions)
+    const html = createHTML(sanitized)
+    const anchor = html.querySelector('a')!
+    expect(anchor).not.toBeNull()
+    expect(anchor.getAttribute('href')).toEqual(href)
+    expect(anchor.getAttribute('rel')).toEqual(rel)
+  })
 
   describe.each(['td', 'th'])('%s cell text alignment', tag => {
     test(`Allows ${tag} with text-align style`, () => {

diff --git a/packages/synapse-react-client/src/utils/functions/SanitizeHtmlUtils.ts b/packages/synapse-react-client/src/utils/functions/SanitizeHtmlUtils.ts
@@ -3,7 +3,7 @@ import { escapeAttrValue, IFilterXSSOptions, safeAttrValue } from 'xss'
 // PORTALS-1450: including 'style' in the allow-list will cause string values to come through, which crashes the app when used (because it uses jsx).
 export const xssOptions: IFilterXSSOptions = {
   whiteList: {
-    a: ['target', 'href', 'title', 'ref'],
+    a: ['target', 'href', 'title', 'rel'],
     abbr: ['title'],
     address: [],
     area: ['shape', 'coords', 'href', 'alt'],

diff --git a/...t-client/test/containers/markdown/__snapshots__/MarkdownSynapse.integration.test.tsx.snap b/...t-client/test/containers/markdown/__snapshots__/MarkdownSynapse.integration.test.tsx.snap
@@ -118,6 +118,7 @@ exports[`MarkdownSynapse tests Snapshot tests works with header and a link 1`] =
         <a
           class="MuiTypography-root MuiTypography-inherit MuiLink-root MuiLink-underlineAlways css-axgts0-MuiTypography-root-MuiLink-root"
           href="https://synapse.org"
+          rel="noopener noreferrer"
           target="_blank"
         >
           text