Skip to content

AXON-1176: Added base setup to uploading Media #1051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

AXON-1176: Added base setup to uploading Media #1051

wants to merge 1 commit into from

Conversation

BHulovatyi
Copy link
Collaborator

What Is This Change?

How Has This Been Tested?

Basic checks:

  • npm run lint
  • npm run test

Advanced checks:

  • If Atlassian employee & Bitbucket changes: did you test with DC in mind? See Instructions

Recommendations:

  • Update the CHANGELOG if making a user facing change

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 29, 2025
View reviewed changes
src/webviews/components/AdfAwareContent.tsx

// Fallback: render as HTML for plain text/HTML content
// eslint-disable-next-line react-dom/no-dangerously-set-innerhtml
return <div className={className} style={style} dangerouslySetInnerHTML={{ __html: content || '' }} />;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 22 days ago

To fix this vulnerability, contextually encode or sanitize the user-supplied text before passing it to dangerouslySetInnerHTML in AdfAwareContent.tsx (line 42). Since in the fallback route the text is not valid ADF and can be any string, we should treat it as plain text by default and ensure that any HTML meta-characters are escaped (e.g., < becomes &lt;) unless we know the string is trusted HTML.

The best fix here is to explicitly escape the content before rendering it as HTML, so that any meta-characters are rendered as plain text. Alternatively, a well-known library such as he (for HTML entity encoding) can be used for escaping. We should update the fallback rendering (line 42) so that content is escaped before being injected.

Changes/concrete steps:

  • In src/webviews/components/AdfAwareContent.tsx, import the he library (import { escape } from 'he';).
  • On line 42, replace dangerouslySetInnerHTML={{ __html: content || '' }} with dangerouslySetInnerHTML={{ __html: escape(content || '') }}.
  • Ensure that the dependency he is available in the project (add to package.json if needed).
  • No other files need to be changed according to the given snippets.
Suggested changeset 2
src/webviews/components/AdfAwareContent.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/webviews/components/AdfAwareContent.tsx b/src/webviews/components/AdfAwareContent.tsx
--- a/src/webviews/components/AdfAwareContent.tsx
+++ b/src/webviews/components/AdfAwareContent.tsx
@@ -1,5 +1,6 @@
 import { ReactRenderer } from '@atlaskit/renderer';
 import React from 'react';
+import { escape } from 'he';
 
 interface AdfAwareContentProps {
     content: string;
@@ -39,7 +40,7 @@
 
     // Fallback: render as HTML for plain text/HTML content
     // eslint-disable-next-line react-dom/no-dangerously-set-innerhtml
-    return <div className={className} style={style} dangerouslySetInnerHTML={{ __html: content || '' }} />;
+    return <div className={className} style={style} dangerouslySetInnerHTML={{ __html: escape(content || '') }} />;
 };
 
 export default AdfAwareContent;
EOF
@@ -1,5 +1,6 @@
import { ReactRenderer } from '@atlaskit/renderer';
import React from 'react';
import { escape } from 'he';

interface AdfAwareContentProps {
content: string;
@@ -39,7 +40,7 @@

// Fallback: render as HTML for plain text/HTML content
// eslint-disable-next-line react-dom/no-dangerously-set-innerhtml
return <div className={className} style={style} dangerouslySetInnerHTML={{ __html: content || '' }} />;
return <div className={className} style={style} dangerouslySetInnerHTML={{ __html: escape(content || '') }} />;
};

export default AdfAwareContent;
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -1577,7 +1577,8 @@
         "turndown": "^7.2.0",
         "use-constant": "^2.0.0",
         "uuid": "^11.1.0",
-        "websocket": "^1.0.35"
+        "websocket": "^1.0.35",
+        "he": "^1.2.0"
     },
     "devDependencies": {
         "@compiled/webpack-loader": "^0.19.6",
EOF
@@ -1577,7 +1577,8 @@
"turndown": "^7.2.0",
"use-constant": "^2.0.0",
"uuid": "^11.1.0",
"websocket": "^1.0.35"
"websocket": "^1.0.35",
"he": "^1.2.0"
},
"devDependencies": {
"@compiled/webpack-loader": "^0.19.6",
This fix introduces these dependencies
Package Version Security advisories
he (npm) 1.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwieger-atlassian-com bwieger-atlassian-com Awaiting requested review from bwieger-atlassian-com bwieger-atlassian-com will be requested when the pull request is marked ready for review bwieger-atlassian-com is a code owner

@sdzh-atlassian sdzh-atlassian Awaiting requested review from sdzh-atlassian sdzh-atlassian will be requested when the pull request is marked ready for review sdzh-atlassian is a code owner

@cabella-dot cabella-dot Awaiting requested review from cabella-dot cabella-dot will be requested when the pull request is marked ready for review cabella-dot is a code owner

@marcomura marcomura Awaiting requested review from marcomura marcomura will be requested when the pull request is marked ready for review marcomura is a code owner

@bhorai-atl bhorai-atl Awaiting requested review from bhorai-atl bhorai-atl will be requested when the pull request is marked ready for review bhorai-atl is a code owner

@om-ukr om-ukr Awaiting requested review from om-ukr om-ukr will be requested when the pull request is marked ready for review om-ukr is a code owner

@Blastoplex Blastoplex Awaiting requested review from Blastoplex Blastoplex will be requested when the pull request is marked ready for review Blastoplex is a code owner

@matt-lassian matt-lassian Awaiting requested review from matt-lassian matt-lassian will be requested when the pull request is marked ready for review matt-lassian is a code owner

@dchiew-atl dchiew-atl Awaiting requested review from dchiew-atl dchiew-atl will be requested when the pull request is marked ready for review dchiew-atl is a code owner

@amarg-at amarg-at Awaiting requested review from amarg-at amarg-at will be requested when the pull request is marked ready for review amarg-at is a code owner

@ccallcottstevens ccallcottstevens Awaiting requested review from ccallcottstevens ccallcottstevens will be requested when the pull request is marked ready for review ccallcottstevens is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BHulovatyi