fix: overlay content #3553
fix: overlay content #3553
Conversation
| @@ -138,7 +137,7 @@ function show(messages, type) { | |||
|
|
|||
| // Make it look similar to our terminal. | |||
| const errorMessage = message.message || messages[0]; | |||
| const text = ansiHTML(encode(errorMessage)); | |||
There was a problem hiding this comment.
It is not safe, here can be XSS
There was a problem hiding this comment.
Maybe we need decode(text, {level: 'html5'}) afterwards
WIP on tests |
Codecov Report
@@ Coverage Diff @@
## master #3553 +/- ##
==========================================
- Coverage 94.02% 93.55% -0.48%
==========================================
Files 15 15
Lines 1256 1256
Branches 431 431
==========================================
- Hits 1181 1175 -6
- Misses 69 75 +6
Partials 6 6
Continue to review full report at Codecov.
|
snitin315
requested review from
anshumanv,
hiroppy and
knagaitsev
as code owners
|
Ready for review. /cc @alexander-akait |
|
Thanks, will look at near future |
|
I was wrong about XSS due |
|
Fixed, anyway thanks |
|
the correct fix is this ====> const errorMessage = message.message || messages[0];
const content = ansiHTML(errorMessage);
const messageContentNode = document.createElement('div');
messageContentNode.innerHTML = content;html still showing bad, with this looks perfect, see the imagen bellow:
|
|
It is xss, no it is not good |
|
Current solution has the same output |
Impossible, html in a text node will be show up like entities…. 😓😓😓😓 |
|
Please provide screenshot, again, always use the issue template, our tests are fine |
Did you test with html content ? |
|
We should not accept HTML content from error/warning messages, otherwise you can inject |
|
Look is very simple, text node can no allocate html only text…. |
|
Because it is XSS |
Inject xss to my self 🤣 |
|
other plugin which you can be installed and emit HTML content and steel your environments, it is not joke |
|
Perfect, is a 1% of the time that can happen maybe less, there is other solution to show correctly this? cause is impossible to read anything |
|
No one plugin should not emit HTML content in warning/error messages |
|
In your screenshot only text content and it should be good in overlay |
Eslint do and do nice and read is bestifully, so best way is disable this not useful overlay |
HTML content? don't talk nonsense, eslint uses only ansi colors (yes, you can write custom output, but I don't see it is good idea), I don't see HTML content |
Eslint return html you check in the other issue the screenshot with html ….. |
|
No HTML in any place |
|
Loook this
|
|
Okay, please open a new issue with reproducible test repo and format this as issue template, original problem with html entries was fixed, what is why I ask ALWAYS use the issue template |
For Bugs and Features; did you add new tests?
Yes
Motivation / Use-Case
Fix #3552
Before
After
Breaking Changes
No
Additional Info
No