@gitlab/ui 42.25.0 → 43.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +16 -0
  2. package/dist/directives/safe_html/constants.js +1 -1
  3. package/package.json +7 -7
  4. package/src/directives/safe_html/constants.js +10 -1
  5. package/src/directives/safe_html/safe_html.spec.js +9 -13
package/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ # [43.0.0](https://gitlab.com/gitlab-org/gitlab-ui/compare/v42.25.0...v43.0.0) (2022-08-02)
2
+
3
+
4
+ ### Features
5
+
6
+ * **SafeHtml:** Extend filters to improve sanitizer ([0229418](https://gitlab.com/gitlab-org/gitlab-ui/commit/022941862a26a42cbaee0bce49d822a7e97948ea))
7
+
8
+
9
+ ### BREAKING CHANGES
10
+
11
+ * **SafeHtml:** Disallow a few more potentially dangerous
12
+ @rails/ujs data-* attributes.
13
+
14
+ Pass a configuration argument to `v-safe-html` to change
15
+ this if needed.
16
+
1
17
  # [42.25.0](https://gitlab.com/gitlab-org/gitlab-ui/compare/v42.24.1...v42.25.0) (2022-07-27)
2
18
 
3
19
 
package/dist/directives/safe_html/constants.js CHANGED
@@ -1,5 +1,5 @@
1
1
  // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421#note_617098438
2
2
  // for more details
3
- const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
3
+ const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method', 'data-disable-with', 'data-disabled', 'data-disable', 'data-turbo'];
4
4
 
5
5
  export { forbiddenDataAttrs };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@gitlab/ui",
3
- "version": "42.25.0",
3
+ "version": "43.0.0",
4
4
  "description": "GitLab UI Components",
5
5
  "license": "MIT",
6
6
  "main": "dist/index.js",
@@ -34,7 +34,7 @@
34
34
  "test": "run-s test:unit test:visual",
35
35
  "test:integration": "NODE_ENV=test start-server-and-test start http://localhost:9001 cy:run",
36
36
  "test:unit": "NODE_ENV=test jest --testPathIgnorePatterns storyshots.spec.js",
37
- "test:unit:watch": "yarn test:unit --watch --notify",
37
+ "test:unit:watch": "yarn test:unit --watch",
38
38
  "test:unit:debug": "NODE_ENV=test node --inspect node_modules/.bin/jest --testPathIgnorePatterns storyshot.spec.js --watch --runInBand",
39
39
  "test:visual": "./bin/run-visual-tests.sh 'jest ./tests/storyshots.spec.js'",
40
40
  "test:visual:minimal": "node ./bin/run_minimal_visual_tests.js",
@@ -79,11 +79,11 @@
79
79
  },
80
80
  "devDependencies": {
81
81
  "@arkweid/lefthook": "0.7.7",
82
- "@babel/core": "^7.10.2",
83
- "@babel/preset-env": "^7.10.2",
84
- "@gitlab/eslint-plugin": "14.0.0",
82
+ "@babel/core": "^7.18.9",
83
+ "@babel/preset-env": "^7.18.9",
84
+ "@gitlab/eslint-plugin": "15.0.0",
85
85
  "@gitlab/stylelint-config": "4.1.0",
86
- "@gitlab/svgs": "2.30.0",
86
+ "@gitlab/svgs": "2.33.0",
87
87
  "@rollup/plugin-commonjs": "^11.1.0",
88
88
  "@rollup/plugin-node-resolve": "^7.1.3",
89
89
  "@rollup/plugin-replace": "^2.3.2",
@@ -129,7 +129,7 @@
129
129
  "postcss-loader": "^3.0.0",
130
130
  "postcss-scss": "4.0.4",
131
131
  "prettier": "2.6.2",
132
- "puppeteer": "11.0.0",
132
+ "puppeteer": "15.5.0",
133
133
  "raw-loader": "^0.5.1",
134
134
  "rollup": "^2.53.1",
135
135
  "rollup-plugin-babel": "^4.4.0",
package/src/directives/safe_html/constants.js CHANGED
@@ -1,3 +1,12 @@
1
1
  // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421#note_617098438
2
2
  // for more details
3
- export const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
3
+ export const forbiddenDataAttrs = [
4
+ 'data-remote',
5
+ 'data-url',
6
+ 'data-type',
7
+ 'data-method',
8
+ 'data-disable-with',
9
+ 'data-disabled',
10
+ 'data-disable',
11
+ 'data-turbo',
12
+ ];
package/src/directives/safe_html/safe_html.spec.js CHANGED
@@ -74,24 +74,20 @@ describe('safe html directive', () => {
74
74
  });
75
75
 
76
76
  describe('handles data attributes correctly', () => {
77
- const acceptedDataAttrs = ['data-safe', 'data-random'];
77
+ const allowedDataAttrs = ['data-safe', 'data-random'];
78
78
 
79
- it.each(forbiddenDataAttrs)('removes %s attributes', (attr) => {
80
- createComponent({
81
- html: `<a ${attr}="true"></a>`,
82
- });
79
+ it.each(forbiddenDataAttrs)('removes dangerous `%s` attribute', (attr) => {
80
+ const html = `<a ${attr}="true"></a>`;
81
+ createComponent({ html });
83
82
 
84
- expect(wrapper.html()).toEqual('<div><a></a></div>');
83
+ expect(wrapper.html()).not.toContain(html);
85
84
  });
86
85
 
87
- it.each(acceptedDataAttrs)('does not remove %s attributes', (attr) => {
88
- const attrWithValue = `${attr}="true"`;
89
-
90
- createComponent({
91
- html: `<a ${attrWithValue}="true"></a>`,
92
- });
86
+ it.each(allowedDataAttrs)('does not remove allowed `%s` attribute', (attr) => {
87
+ const html = `<a ${attr}="true"></a>`;
88
+ createComponent({ html });
93
89
 
94
- expect(wrapper.html()).toEqual(`<div><a ${attrWithValue}></a></div>`);
90
+ expect(wrapper.html()).toContain(html);
95
91
  });
96
92
  });
97
93
  });