Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid adding inline styles to table as it violates Content security policy headers #552

Closed
Sanbala opened this issue Mar 1, 2021 · 3 comments
Closed

Avoid adding inline styles to table as it violates Content security policy headers #552

Sanbala opened this issue Mar 1, 2021 · 3 comments
Labels
🙅 no/wontfix This is not (enough of) an issue for this project

Comments

@Sanbala
Copy link

Sanbala commented Mar 1, 2021

Avoid adding inline styles as it causes security violation when adding CSP headers

In table renderer, inline style attribute is added to the React element when there are styles specified in the markdown. This causes security violation. In order

Your environment

  • OS: Windows
  • Packages: Latest (v4.3.1)
  • Env: All browsers

Steps to reproduce

  1. Write a table with center aligned column and right aligned column in markdown.
  2. Pass this to react markdown and check the final output. The rendered react element will have the style attribute assigned to th element.

Provided the sample app code below,
https://codesandbox.io/s/react-markdown-debug-forked-1ifpx?file=/src/App.js

Expected behavior

align attribute should be added to the element

Actual behavior

Style attribute is getting added to the element

To solve the above issue, table cell renderer has to be changed. I am currently overriding the table cell renderer and adding "align" attribute if style has text-align and removed the style attribute. Please find the code Below,

export function customTableCellRenderer(props: any) {
  let tableCellElement = tableCellRenderer(props); //**Original react markdown tableCellRenderer**
  let elementProps = { ...tableCellElement.props };

  if (elementProps.style?.textAlign) {
    elementProps.align = elementProps.style.textAlign;
    delete elementProps.style;
    tableCellElement = { ...tableCellElement, ...{ props: elementProps } };
  }

  return tableCellElement;
}
@Sanbala Sanbala added 🐛 type/bug This is a problem 🙉 open/needs-info This needs some more info labels Mar 1, 2021
@wooorm
Copy link
Member

wooorm commented Mar 2, 2021
edited

Hmm. React warns about align, because it’s deprecated. That’s why most react markdown tools use style instead.

Can you allow inline style in your CSP? And, otherwise, I think it’s fine that you override it yourself?

@Sanbala
Copy link
Author

Sanbala commented Mar 2, 2021

Its possible to allow inline style in CSP headers but that will cause security vulnerability. so, we didn't do that.
Will my above override cause any issue anytime?

@wooorm
Copy link
Member

wooorm commented Mar 2, 2021

Its possible to allow inline style in CSP headers but that will cause security vulnerability

Such as?

Will my above override cause any issue anytime?

We will probably rewrite renderers next major: #549. So then it’d need to change. But otherwise it looks good

@wooorm wooorm closed this as completed Mar 2, 2021
@wooorm wooorm added 🙅 no/wontfix This is not (enough of) an issue for this project and removed 🐛 type/bug This is a problem 🙉 open/needs-info This needs some more info labels Mar 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🙅 no/wontfix This is not (enough of) an issue for this project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wooorm @Sanbala