Skip to content

feat(web): HTML sanitization#680

Open
hejsztynx wants to merge 8 commits into
mainfrom
@ksienkiewicz/feat-html-sanitization
Open

feat(web): HTML sanitization#680
hejsztynx wants to merge 8 commits into
mainfrom
@ksienkiewicz/feat-html-sanitization

Conversation

@hejsztynx

@hejsztynx hejsztynx commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • implemented sanitization on all ends of the EnrichedTextInput and EnrichedText
  • we were allowing all custom mention attributes names, inluding potentially malicious ones. Now the attributes are sanitized and if one doesn't start with the data- prefix, we print a runtime warning that it might get stripped by a sanitizer
  • the 'default' mention style functionality wasn't documented
  • the normalizer let through only a predefined set of mention attributes: id, text and indicator - now it allows every custom attribute

Test Plan

Try to create a mention with an illegal HTML attribute, eg. onClick. It should be stripped and a suitable console warning should be visible.

Compatibility

OS Implemented
iOS
Android
Web

Checklist

  • E2E tests are passing
  • Required E2E tests have been added (if applicable)

Copilot AI review requested due to automatic review settings July 6, 2026 11:40
@hejsztynx hejsztynx marked this pull request as draft July 6, 2026 11:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces automatic HTML sanitization for the web implementation to reduce XSS/paste-attack risk, and tightens/sanitizes custom <mention> attributes passed through the web input APIs.

Changes:

  • Add a DOMPurify-backed sanitizer utility plus mention-attribute sanitization + runtime warnings for non‑data-* custom attributes.
  • Sanitize HTML at major web input/output boundaries for TipTap (defaultValue/setValue/paste and getHTML/onChangeHtml).
  • Update docs, example usage, and an E2E link test to align with the new sanitization behavior.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/web/sanitization/htmlSanitizer.ts Introduces sanitizeHtml, mention attribute sanitization, and attribute warning helper.
src/web/normalization/tiptapHtmlNormalizer.ts Applies sanitization to TipTap HTML ingress/egress normalization.
src/web/EnrichedTextInput.tsx Sanitizes/warns on mention attributes before inserting a mention.
src/web/tests/mentionSanitization.test.ts Adds unit tests for mention attribute sanitization and sanitizer behavior.
docs/WEB.md Updates web docs to describe automatic sanitization and mention attribute guidance.
docs/INPUT_API_REFERENCE.md Documents 'default' mention style fallback behavior.
apps/example-web/src/App.tsx Updates example mention attributes to use data-*.
.playwright/tests/links.spec.ts Adjusts link copy/paste test data to a sanitizer-friendly URL.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/web/normalization/tiptapHtmlNormalizer.ts
Comment thread docs/WEB.md Outdated
Comment thread docs/INPUT_API_REFERENCE.md Outdated
Comment thread src/web/__tests__/sanitization.test.ts
@hejsztynx hejsztynx marked this pull request as ready for review July 6, 2026 12:17
Comment thread src/web/normalization/tiptapHtmlNormalizer.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants