fix(security): replace dangerouslySetInnerHTML with safe React rendering in ChartStyle#548
Open
danieloche635-bit wants to merge 3 commits into
Conversation
- Replace localStorage plaintext UUID storage with salted hash - Add per-session salt stored in sessionStorage - Add synchronous hash function for device identity - Update tests to verify hashed storage behavior Closes MettaChain#448
- Add /api/security/address-check Next.js API route to proxy Chainalysis requests - Remove API key exposure from browser via window global (__CHAINALYSIS_API_KEY__) - Move API key to server-only CHAINALYSIS_API_KEY env variable - Add security:check-globals npm script to prevent future __ global leaks - Update tests to verify proxy endpoint usage Closes MettaChain#442
…ing in ChartStyle - Remove dangerouslySetInnerHTML usage in chart.tsx ChartStyle component - Use React's built-in text content escaping via JSX children - Filter empty CSS rules to prevent rendering empty style tags - CSS content is automatically HTML-escaped by React's text node rendering Closes MettaChain#439
|
@danieloche635-bit Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary (P1)
\ChartStyle\ component used \dangerouslySetInnerHTML\ to inject CSS with color values from the chart config, creating a potential XSS vector if config values ever accept external input.
Changes
Security
React's JSX text content is always escaped, preventing HTML injection even if config values contain malicious strings. This is fundamentally safer than \dangerouslySetInnerHTML\ which bypasses React's escaping entirely.
Closes #439