Install dompurify and use to sanitize product title for review blocks (https://github.com/woocommerce/woocommerce-blocks/pull/1117)

* install dompurify and use to sanitize product title for reviews * remove dompurify * remove dompurify implementation and add jsdoc covering what data is trusted
2019-11-01 18:00:19 -05:00 · 2019-11-01 18:00:19 -05:00 · 8625e418a9
parent 83925b48e6
commit 8625e418a9
1 changed files with 18 additions and 1 deletions
--- a/plugins/woocommerce-blocks/assets/js/base/components/review-list-item/index.js
+++ b/plugins/woocommerce-blocks/assets/js/base/components/review-list-item/index.js
@ -88,7 +88,15 @@ function getReviewContent( review ) {
 function getReviewProductName( review ) {
 	return (
 		<div className="wc-block-review-list-item__product">
-			<a href={ review.product_permalink }>{ review.product_name }</a>
+			<a
+				href={ review.product_permalink }
+				dangerouslySetInnerHTML={ {
+					// `product_name` might have html entities for things like
+					// emdash. So to display properly we need to allow the
+					// browser to render.
+					__html: review.product_name,
+				} }
+			/>
 		</div>
 	);
 }
@ -193,4 +201,13 @@ ReviewListItem.propTypes = {
 	review: PropTypes.object,
 };

+/**
+ * BE AWARE. ReviewListItem expects product data that is equivalent to what is
+ * made avaialble for output in a public view. Thus content that may contain
+ * html data is not sanitized further.
+ *
+ * Currently the following data is trusted (assumed to already be sanitized):
+ * - `review.review` (review content).
+ * - `review.product_name` (the product title)
+ */
 export default ReviewListItem;