Improve HTML content sanitization and fix linting issues#1821
Merged
Conversation
stephenegriffin
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens how potentially unsafe header/UI content is rendered in the Outlook add-in, aiming to prevent HTML injection by encoding user-controlled values and restricting when URLs become clickable links.
Changes:
- Updated
ArchivedRowURL rendering logic to only link strict angle-bracketed HTTP(S) URLs; otherwise HTML-encode content. - Switched several
innerHTMLrender paths in the iOS mobile pane to HTML-encode user-controlled values before insertion. - Removed the now-unused
Strings.mapValueToURLhelper and updated unit tests and editor ESLint-on-save configuration.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/Scripts/ui/newMobilePaneIosFrame.ts |
Encodes user-controlled values before inserting into innerHTML in the mobile UI. |
src/Scripts/Strings.ts |
Removes mapValueToURL helper. |
src/Scripts/row/ArchivedRow.ts |
Refactors Archived-At rendering to validate and link only strict HTTP(S) URLs. |
src/Scripts/row/ArchivedRow.test.ts |
Updates tests for new ArchivedRow behavior and mocking approach. |
.vscode/settings.json |
Uses ESLint-specific fix action on save. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Stephen Griffin <stephenegriffin@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Stephen Griffin <stephenegriffin@users.noreply.github.com>
macienMSFT
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors how URLs and potentially unsafe HTML content are handled and rendered, especially in the
ArchivedRowcomponent and related UI. The main goal is to improve security by ensuring that only valid URLs are rendered as links and all other content is properly HTML-encoded. Additionally, the PR updates tests to reflect these changes and cleans up some ESLint settings.Security and rendering improvements:
src/Scripts/row/ArchivedRow.ts: Replaces the genericStrings.mapValueToURLwith a strictervalueUrlgetter. Now, only strict angle-bracketed HTTP(S) URLs are rendered as clickable links; all other values are safely HTML-encoded, preventing executable HTML from being rendered.src/Scripts/Strings.ts: Removes the now-unusedmapValueToURLmethod.UI updates for safe encoding:
src/Scripts/ui/newMobilePaneIosFrame.ts: Updates all instances where user-supplied values are rendered into the DOM to useStrings.htmlEncode, ensuring that names, addresses, and values in the UI are always encoded and safe to display. [1] [2] [3] [4]Testing improvements:
src/Scripts/row/ArchivedRow.test.ts: Updates and extends tests forArchivedRowto cover the new logic, including strict URL detection, proper encoding of potentially dangerous payloads, and RFC2047 decoding scenarios. Mocks are improved to use real implementations for encoding functions.Tooling configuration:
.vscode/settings.json: Changes ESLint auto-fix on save to use the ESLint-specific fix action, aligning with best practices and preventing unintended fixes from other sources.