Fix use of sanitizeHTML (https://github.com/woocommerce/woocommerce-blocks/pull/7231)

* Remove object from sanitizeHTML return value * Import sanitizeHTML from utils * Fix dangerously set inner HTML format * Update package-lock * Update package-lock * Update package-lock * Update @types/dompurify version Co-authored-by: Thomas Roberts <5656702+opr@users.noreply.github.com>
2022-10-05 02:59:38 -07:00 · 2022-10-05 02:59:38 -07:00 · cad30afc79
parent ce68c6ef40
commit cad30afc79
4 changed files with 4348 additions and 27898 deletions
--- a/plugins/woocommerce-blocks/assets/js/base/components/cart-checkout/shipping-rates-control-package/index.tsx
+++ b/plugins/woocommerce-blocks/assets/js/base/components/cart-checkout/shipping-rates-control-package/index.tsx
@ -73,7 +73,9 @@ export const ShippingRatesControlPackage = ( {
 			{ ( showItems || collapsible ) && (
 				<div
 					className="wc-block-components-shipping-rates-control__package-title"
-					dangerouslySetInnerHTML={ sanitizeHTML( packageData.name ) }
+					dangerouslySetInnerHTML={ {
 						__html: sanitizeHTML( packageData.name ),
 					} }
 				/>
 			) }
 			{ showItems && (
--- a/plugins/woocommerce-blocks/assets/js/base/context/providers/store-notices/components/store-notices-container.js
+++ b/plugins/woocommerce-blocks/assets/js/base/context/providers/store-notices/components/store-notices-container.js
@ -4,7 +4,7 @@
 import PropTypes from 'prop-types';
 import classnames from 'classnames';
 import { Notice } from 'wordpress-components';
-import { sanitize } from 'dompurify';
+import { sanitizeHTML } from '@woocommerce/utils';
 import { useDispatch, useSelect } from '@wordpress/data';
 import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';
@ -13,15 +13,6 @@ import { PAYMENT_METHOD_DATA_STORE_KEY } from '@woocommerce/block-data';
 */
 import './style.scss';
 const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
 const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
 const sanitizeHTML = ( html ) => {
 	return {
 		__html: sanitize( html, { ALLOWED_TAGS, ALLOWED_ATTR } ),
 	};
 };
 const getWooClassName = ( { status = 'default' } ) => {
 	switch ( status ) {
 		case 'error':
@ -78,11 +69,7 @@ export const StoreNoticesContainer = ( {
 						}
 					} }
 				>
-					<span
+					{ sanitizeHTML( props.content ) }
 						dangerouslySetInnerHTML={ sanitizeHTML(
 							props.content
 						) }
 					/>
 				</Notice>
 			) ) }
 		</div>
--- a/plugins/woocommerce-blocks/assets/js/utils/sanitize-html.ts
+++ b/plugins/woocommerce-blocks/assets/js/utils/sanitize-html.ts
@ -1,12 +1,7 @@
 /**
 * External dependencies
 */
-import DOMPurify from 'dompurify';
+import { sanitize } from 'dompurify';
 type sanitizedHTMLObject = {
 	// eslint-disable-next-line @typescript-eslint/naming-convention
 	__html: string;
 };
 const ALLOWED_TAGS = [ 'a', 'b', 'em', 'i', 'strong', 'p', 'br' ];
 const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
@ -14,14 +9,12 @@ const ALLOWED_ATTR = [ 'target', 'href', 'rel', 'name', 'download' ];
 export const sanitizeHTML = (
 	html: string,
 	config?: { tags?: typeof ALLOWED_TAGS; attr?: typeof ALLOWED_ATTR }
-): sanitizedHTMLObject => {
+) => {
 	const tagsValue = config?.tags || ALLOWED_TAGS;
 	const attrValue = config?.attr || ALLOWED_ATTR;
-	return {
+	return sanitize( html, {
 		__html: DOMPurify.sanitize( html, {
 		ALLOWED_TAGS: tagsValue,
 		ALLOWED_ATTR: attrValue,
-		} ),
+	} );
 	};
 };
--- a/plugins/woocommerce-blocks/package-lock.json
+++ b/plugins/woocommerce-blocks/package-lock.json