Commit 835f422e authored by Markus Koller's avatar Markus Koller

Use v-safe-html for field help texts in integration form

This isn't critical since the help texts are defined in the integration
models (in `Integration#help` and `Integration#fields`) and can be
trusted.

We still want to allow external links using `target="blank"`, so we pass
a custom configuration to `v-safe-html` until this is implemented in
`gitlab-ui` with https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1427.

We also do the same for the main help texts in `integration_form.vue`,
and add the `target` and `rel` attributes where missing.
parent baa59ee9
<script> <script>
/* eslint-disable vue/no-v-html */ import {
import { GlFormGroup, GlFormCheckbox, GlFormInput, GlFormSelect, GlFormTextarea } from '@gitlab/ui'; GlFormGroup,
GlFormCheckbox,
GlFormInput,
GlFormSelect,
GlFormTextarea,
GlSafeHtmlDirective as SafeHtml,
} from '@gitlab/ui';
import { capitalize, lowerCase, isEmpty } from 'lodash'; import { capitalize, lowerCase, isEmpty } from 'lodash';
import { mapGetters } from 'vuex'; import { mapGetters } from 'vuex';
import eventHub from '../event_hub'; import eventHub from '../event_hub';
...@@ -14,6 +20,9 @@ export default { ...@@ -14,6 +20,9 @@ export default {
GlFormSelect, GlFormSelect,
GlFormTextarea, GlFormTextarea,
}, },
directives: {
SafeHtml,
},
props: { props: {
choices: { choices: {
type: Array, type: Array,
...@@ -122,6 +131,9 @@ export default { ...@@ -122,6 +131,9 @@ export default {
this.validated = true; this.validated = true;
}, },
}, },
helpHtmlConfig: {
ADD_ATTR: ['target'], // allow external links, can be removed after https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1427 is implemented
},
}; };
</script> </script>
...@@ -133,7 +145,7 @@ export default { ...@@ -133,7 +145,7 @@ export default {
:state="valid" :state="valid"
> >
<template #description> <template #description>
<span v-html="help"></span> <span v-safe-html:[$options.helpHtmlConfig]="help"></span>
</template> </template>
<template v-if="isCheckbox"> <template v-if="isCheckbox">
......
...@@ -86,6 +86,7 @@ export default { ...@@ -86,6 +86,7 @@ export default {
}, },
}, },
helpHtmlConfig: { helpHtmlConfig: {
ADD_ATTR: ['target'], // allow external links, can be removed after https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1427 is implemented
ADD_TAGS: ['use'], // to support icon SVGs ADD_TAGS: ['use'], // to support icon SVGs
FORBID_ATTR: [], // This is trusted input so we can override the default config to allow data-* attributes FORBID_ATTR: [], // This is trusted input so we can override the default config to allow data-* attributes
}, },
......
...@@ -15,7 +15,7 @@ module Integrations ...@@ -15,7 +15,7 @@ module Integrations
end end
def help def help
'<p>Use this service to send notifications about events in GitLab projects to your Microsoft Teams channels. <a href="https://docs.gitlab.com/ee/user/project/integrations/microsoft_teams.html">How do I configure this integration?</a></p>' '<p>Use this service to send notifications about events in GitLab projects to your Microsoft Teams channels. <a href="https://docs.gitlab.com/ee/user/project/integrations/microsoft_teams.html" target="_blank" rel="noopener noreferrer">How do I configure this integration?</a></p>'
end end
def webhook_placeholder def webhook_placeholder
......
...@@ -18,7 +18,7 @@ module Integrations ...@@ -18,7 +18,7 @@ module Integrations
'This service sends notifications about projects events to a Unify Circuit conversation.<br /> 'This service sends notifications about projects events to a Unify Circuit conversation.<br />
To set up this service: To set up this service:
<ol> <ol>
<li><a href="https://www.circuit.com/unifyportalfaqdetail?articleId=164448">Set up an incoming webhook for your conversation</a>. All notifications will come to this conversation.</li> <li><a href="https://www.circuit.com/unifyportalfaqdetail?articleId=164448" target="_blank" rel="noopener noreferrer">Set up an incoming webhook for your conversation</a>. All notifications will come to this conversation.</li>
<li>Paste the <strong>Webhook URL</strong> into the field below.</li> <li>Paste the <strong>Webhook URL</strong> into the field below.</li>
<li>Select events below to enable notifications.</li> <li>Select events below to enable notifications.</li>
</ol>' </ol>'
......
...@@ -182,6 +182,19 @@ describe('DynamicField', () => { ...@@ -182,6 +182,19 @@ describe('DynamicField', () => {
expect(findGlFormGroup().find('small').html()).toContain(helpHTML); expect(findGlFormGroup().find('small').html()).toContain(helpHTML);
}); });
it('strips unsafe HTML from the help text', () => {
const helpHTML =
'[<code>1</code> <iframe>2</iframe> <a href="javascript:alert(document.cookie)">3</a> <a href="foo" target="_blank">4</a>]';
createComponent({
help: helpHTML,
});
expect(findGlFormGroup().find('small').html()).toContain(
'[<code>1</code> <a>3</a> <a target="_blank" href="foo">4</a>]',
);
});
}); });
describe('label text', () => { describe('label text', () => {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment