Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat espace pro #974

Draft
wants to merge 10 commits into
base: dev
Choose a base branch
from
Draft

Feat espace pro #974

wants to merge 10 commits into from

Conversation

totakoko
Copy link
Member

WIP

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2025
View reviewed changes
src/server/email/react-email.tsx
replyTo: process.env.REPLYTO_EMAIL,
subject: emailDefinition.subject,
html: html,
text: html.replace(/<(?:.|\n)*?>/gm, ''),

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
<script
Loading
, which may cause an HTML element injection vulnerability.

Copilot Autofix AI about 1 hour ago

To fix the problem, we should replace the custom regular expression used for sanitization with a well-tested library that can handle HTML sanitization comprehensively. The sanitize-html library is a popular choice for this purpose. It will ensure that all potentially unsafe HTML tags and attributes are removed, mitigating the risk of HTML injection vulnerabilities.

  1. Install the sanitize-html library.
  2. Import the sanitize-html library in the file.
  3. Replace the custom regular expression with a call to the sanitize-html function to sanitize the html string.
Suggested changeset 2
src/server/email/react-email.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/server/email/react-email.tsx b/src/server/email/react-email.tsx
--- a/src/server/email/react-email.tsx
+++ b/src/server/email/react-email.tsx
@@ -2,2 +2,3 @@
 import { type ComponentProps } from 'react';
+import sanitizeHtml from 'sanitize-html';
 
@@ -46,3 +47,3 @@
     html: html,
-    text: html.replace(/<(?:.|\n)*?>/gm, ''),
+    text: sanitizeHtml(html, { allowedTags: [], allowedAttributes: {} }),
   });
EOF
@@ -2,2 +2,3 @@
import { type ComponentProps } from 'react';
import sanitizeHtml from 'sanitize-html';

@@ -46,3 +47,3 @@
html: html,
text: html.replace(/<(?:.|\n)*?>/gm, ''),
text: sanitizeHtml(html, { allowedTags: [], allowedAttributes: {} }),
});
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -139,3 +139,4 @@
     "yup": "^1.2.0",
-    "zod": "^3.24.1"
+    "zod": "^3.24.1",
+    "sanitize-html": "^2.14.0"
   },
EOF
@@ -139,3 +139,4 @@
"yup": "^1.2.0",
"zod": "^3.24.1"
"zod": "^3.24.1",
"sanitize-html": "^2.14.0"
},
This fix introduces these dependencies
Package Version Security advisories
sanitize-html (npm) 2.14.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@totakoko