Add html filtering #1356
Add html filtering #1356
Conversation
JoannaaKL
force-pushed
the
add-html-filtering
branch
from
ae212d8 to
d2d09b7
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds HTML sanitization capabilities to prevent XSS attacks and other security issues when handling user-provided content. It introduces the bluemonday library to sanitize HTML tags in GitHub issue and pull request titles and bodies.
- Integrates bluemonday library for HTML sanitization with a configurable policy
- Updates sanitization logic to filter both invisible characters and HTML tags
- Adds comprehensive test coverage for the new HTML filtering functionality
Reviewed Changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
pkg/sanitize/sanitize.go |
Adds FilterHTMLTags and Sanitize functions with bluemonday policy configuration |
pkg/sanitize/sanitize_test.go |
Adds comprehensive test cases for HTML tag filtering |
pkg/github/issues.go |
Updates to use Sanitize instead of FilterInvisibleCharacters |
pkg/github/pullrequests.go |
Updates to use Sanitize instead of FilterInvisibleCharacters |
go.mod |
Adds bluemonday and its dependencies |
go.sum |
Updates checksums for new dependencies |
third-party-licenses.*.md |
Adds license entries for new dependencies |
third-party/*/LICENSE* |
Adds license files for new third-party dependencies |
script/licenses |
Adds GOFLAGS=-mod=mod to go-licenses commands |
script/licenses-check |
Adds GOFLAGS=-mod=mod and fixes echo to printf |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func FilterHTMLTags(input string) string { | ||
| if policy == nil { | ||
| policyInit() | ||
| } |
There was a problem hiding this comment.
The nil check for policy is not thread-safe and could result in multiple goroutines initializing the policy simultaneously. Consider checking if policy is nil inside policyInit() only, or use policyOnce.Do() directly in FilterHTMLTags to ensure initialization happens exactly once.
| ) | ||
|
|
||
| p.AllowAttrs("href").OnElements("a") | ||
| p.AllowURLSchemes("https") |
There was a problem hiding this comment.
[nitpick] Only allowing HTTPS URLs is a good security practice, but this may be overly restrictive for certain use cases like mailto: links or relative URLs. Consider if this aligns with product requirements, or document this intentional restriction.
| p.AllowURLSchemes("https") | |
| p.AllowURLSchemes("https", "mailto") |
This PR:
Misc updates:
script/licensesandscript/licenses-checkwere updated to useGOFLAGS=-mod=modwhich will ignore the vendor directory. The report template uses theLicenseURLfield, but it’s being populated with links to this repo’s vendored paths because the tool is running in vendor mode by default when a vendor/ directory exists. By addingGOFLAGS=-mod=modvendor directory is ignored and the upstream module url is used as expected.