Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Disable injectHTML by default#51400

Merged
evict merged 4 commits into
mainfrom
vincent/inject-html-env-var
May 4, 2023
Merged

Disable injectHTML by default#51400
evict merged 4 commits into
mainfrom
vincent/inject-html-env-var

Conversation

@evict

@evict evict commented May 3, 2023

Copy link
Copy Markdown
Contributor

This change will, by default, disable the HTML injection feature in site-admin. Customers who want to customize their instance can add the environment variable to add scripts or other HTML content. This will make customers (the majority) who don't want this customization feature protected against potential XSS attack.

Test plan

Tested the changes on my local instance.

@evict evict requested review from a team May 3, 2023 09:23
@evict evict self-assigned this May 3, 2023
@cla-bot cla-bot Bot added the cla-signed label May 3, 2023
eseliger
eseliger approved these changes May 3, 2023
View reviewed changes

@eseliger eseliger left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add some documentation on this and also a changelog entry.

@evict evict force-pushed the vincent/inject-html-env-var branch from ab5e018 to 5405540 Compare May 3, 2023 09:30
@evict

evict commented May 3, 2023

Copy link
Copy Markdown
Contributor Author

We should add some documentation on this and also a changelog entry.

@eseliger I've added it to CHANGELOG and the description in the schema. Is this sufficient?

eseliger
eseliger approved these changes May 3, 2023
View reviewed changes

@eseliger eseliger left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we use this on one of our continuously deployed environments? If so, we might want to turn on that env var before merging.

Comment thread CHANGELOG.md
indradhanush
indradhanush approved these changes May 3, 2023
View reviewed changes
Comment thread cmd/frontend/internal/app/ui/handlers.go Outdated
@evict evict force-pushed the vincent/inject-html-env-var branch from 19a6cb8 to 5fc692a Compare May 3, 2023 09:42
@evict

evict commented May 3, 2023
edited
Loading

Copy link
Copy Markdown
Contributor Author

Do we use this on one of our continuously deployed environments? If so, we might want to turn on that env var before merging.

Just checked on 3 of the instances, none of them are using the feature!

@evict evict merged commit 70bc9f4 into main May 4, 2023
@evict evict deleted the vincent/inject-html-env-var branch May 4, 2023 13:31
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

5 more reviewers

@indradhanush indradhanush indradhanush approved these changes

@unknwon unknwon unknwon approved these changes

@eseliger eseliger eseliger approved these changes

@sashaostrikov sashaostrikov sashaostrikov approved these changes

@doragrgic doragrgic doragrgic approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@evict evict

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@evict @indradhanush @unknwon @eseliger @sashaostrikov @doragrgic