Merge remote-tracking branch 'origin/main' into build

humanmade · Dec 7, 2023 · e56a031 · e56a031
2 parents 1ddf4bd + 6931d5a
commit e56a031
Show file tree

Hide file tree

Showing 9 changed files with 8,949 additions and 7,396 deletions.
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v12.22.8
+v12
diff --git a/README.md b/README.md
@@ -80,6 +80,12 @@ The script will sync the the build branch with main, build assets and commit the
 
 ## Changelog
 
+### v1.7.2
+
+* Upgraded dependencies for enhanced performance, security and stability.
+* Audit fix dependency upgrade, improving code security.
+* Enhanced security by introducing sanitization for `post.title.rendered` mitigating XSS attack risks.
+
 ### v1.7.1
 
 * Add filter for minimum search length for term select.

diff --git a/composer.lock b/composer.lock
diff --git a/js/post-select/components/post-list-item.js b/js/post-select/components/post-list-item.js
@@ -1,4 +1,5 @@
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import moment from 'moment';
 import PropTypes from 'prop-types';
 import React from 'react';
@@ -14,7 +15,7 @@ const PostListItem = ( { post, author, thumbnail, postTypeObject, isSelected, on
 		<label htmlFor={ `select-post-${post.id}` }>
 			{ thumbnail
 				? <img
-					alt={ post.title.rendered }
+					alt={ DOMPurify.sanitize( post.title.rendered ) }
 					className="post-list-item--image"
 					src={ thumbnail.media_details.sizes.thumbnail.source_url }
 				/>
@@ -27,7 +28,7 @@ const PostListItem = ( { post, author, thumbnail, postTypeObject, isSelected, on
 					type="checkbox"
 					onChange={ () => onToggleSelected() }
 				/>
-				<h2 dangerouslySetInnerHTML={ { __html: post.title.rendered } } />
+				<h2 dangerouslySetInnerHTML={ { __html: DOMPurify.sanitize( post.title.rendered ) } } />
 				<div className="post-list-item--meta">
 					{ postTypeObject && ( <span><b>{ __( 'Type:', 'hm-gb-tools' ) }</b> { postTypeObject.labels.singular_name }</span> ) }
 					<span><b>{ __( 'Status:', 'hm-gb-tools' ) }</b> { post.status }</span>

diff --git a/js/post-select/components/selection-item.js b/js/post-select/components/selection-item.js
@@ -1,4 +1,5 @@
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import moment from 'moment';
 import PropTypes from 'prop-types';
 import React, { Fragment } from 'react';
@@ -18,13 +19,13 @@ const SelectionListItem = ( { post, thumbnail, author, postTypeObject, isSelecte
 			<Fragment>
 				{ thumbnail
 					? <img
-						alt={ post.title.rendered }
+						alt={ DOMPurify.sanitize( post.title.rendered ) }
 						className="post-list-item--image"
 						src={ thumbnail.media_details.sizes.thumbnail.source_url }
 					/>
 					: '' }
 				<div className="post-list-item--inner">
-					<h2 dangerouslySetInnerHTML={ { __html: post.title.rendered } } />
+					<h2 dangerouslySetInnerHTML={ { __html: DOMPurify.sanitize( post.title.rendered ) } } />
 					<div className="post-list-item--meta">
 						{ postTypeObject && ( <span><b>{ __( 'Type:', 'hm-gb-tools' ) }</b> { postTypeObject.labels.singular_name }</span> ) }
 						<span><b>{ __( 'Status:', 'hm-gb-tools' ) }</b> { post.status }</span>

diff --git a/js/post-select/containers/browse.js b/js/post-select/containers/browse.js
@@ -1,6 +1,6 @@
 /* global wp */
 
-import _isEqual from 'lodash/isequal';
+import _isEqual from 'lodash/isEqual';
 import PropTypes from 'prop-types';
 import React from 'react';