Pwa 3401::https://jira.corp.adobe.com/browse/PWA-3401 (#4374)

* Update htmlStringImgUrlConverter.js * Update dependencies package.json * some fix * PWA-3401::Update DOM Text Interpreted As HTML in PWA Code where ever it is needed --------- Co-authored-by: Shivam7-1 <[email protected]>
magento · Feb 3, 2025 · df9e0b9 · df9e0b9
1 parent e104182
commit df9e0b9
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/package.json b/package.json
@@ -49,7 +49,8 @@
     "caniuse-lite": "~1.0.30001335",
     "path-to-regexp": "^8.2.0",
     "qs": "^6.13.0",
-    "setimmediate": "^1.0.5"
+    "setimmediate": "^1.0.5",
+    "dompurify": "^2.3.8"
   },
   "devDependencies": {
     "@babel/plugin-transform-runtime": "~7.4.4",

diff --git a/packages/pagebuilder/lib/ContentTypes/Block/configAggregator.js b/packages/pagebuilder/lib/ContentTypes/Block/configAggregator.js
@@ -1,8 +1,16 @@
+import DOMPurify from 'dompurify';
 import { getAdvanced } from '../../utils';
 
 export default node => {
+    // Get the raw HTML content from the first child node
+    const rawHTML = node.childNodes[0] ? node.childNodes[0].innerHTML : '';
+
+    // Sanitize the raw HTML using DOMPurify
+    const sanitizedHTML = DOMPurify.sanitize(rawHTML);
+
     return {
-        richContent: node.childNodes[0] ? node.childNodes[0].innerHTML : '',
+        // Return the sanitized HTML content, along with the result from getAdvanced
+        richContent: sanitizedHTML,
         ...getAdvanced(node)
     };
 };
diff --git a/packages/peregrine/lib/util/htmlStringImgUrlConverter.js b/packages/peregrine/lib/util/htmlStringImgUrlConverter.js
@@ -1,6 +1,6 @@
 import makeUrl from './makeUrl';
 import resolveLinkProps from './resolveLinkProps';
-
+import DOMPurify from 'dompurify';
 /**
  * Modifies html string images to use makeUrl as source and resolves links to use internal path.
  *
@@ -9,7 +9,7 @@ import resolveLinkProps from './resolveLinkProps';
  */
 const htmlStringImgUrlConverter = htmlString => {
     const temporaryElement = document.createElement('div');
-    temporaryElement.innerHTML = htmlString;
+    temporaryElement.innerHTML = DOMPurify.sanitize(htmlString);
     for (const imgElement of temporaryElement.getElementsByTagName('img')) {
         imgElement.src = makeUrl(imgElement.src, {
             type: 'image-wysiwyg',

diff --git a/venia-integration-tests/src/fixtures/googleMapApi/index.js b/venia-integration-tests/src/fixtures/googleMapApi/index.js
@@ -1,3 +1,4 @@
+import DOMPurify from 'dompurify';
 export const createGoogleMapApi = currentMapApi => {
     return {
         maps: {
@@ -85,7 +86,9 @@ export const createGoogleMapApi = currentMapApi => {
 
                 open(map) {
                     map.infoWindowContainer.style.maxWidth = this.maxWidth;
-                    map.infoWindowContainer.innerHTML = this.content;
+                    map.infoWindowContainer.innerHTML = DOMPurify.sanitize(
+                        this.content
+                    );
                 }
 
                 close() {

diff --git a/yarn.lock b/yarn.lock
@@ -8939,6 +8939,11 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.1:
   dependencies:
     domelementtype "^2.2.0"
 
+dompurify@^2.3.8:
+  version "2.5.8"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.5.8.tgz#2809d89d7e528dc7a071dea440d7376df676f824"
+  integrity sha512-o1vSNgrmYMQObbSSvF/1brBYEQPHhV1+gsmrusO7/GXtp1T9rCS8cXFqVxK/9crT1jA6Ccv+5MTSjBNqr7Sovw==
+
 domutils@^2.5.2, domutils@^2.8.0:
   version "2.8.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-2.8.0.tgz#4437def5db6e2d1f5d6ee859bd95ca7d02048135"