Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Rich Text Input #630

Merged
merged 5 commits into from
Nov 28, 2024
Merged

Support for Rich Text Input #630

merged 5 commits into from
Nov 28, 2024

Conversation

chiragchhatrala
Copy link
Collaborator

@chiragchhatrala chiragchhatrala commented Nov 25, 2024

Summary by CodeRabbit

  • New Features

    • Introduced a new "rich_text" input type for enhanced data entry.
    • Added dedicated support for rich text fields in forms and tables.
    • Expanded input options to include a "rich_text" block type in the configuration.
    • Enhanced handling of pre-filled values for rich text fields.
    • Improved validation and data handling for rich text inputs.
  • Bug Fixes

    • Improved handling of special characters in user input for select and multi-select fields.
  • Documentation

    • Updated configuration to include the new "rich_text" block type in input options.

Copy link
Contributor

coderabbitai bot commented Nov 25, 2024

Caution

Review failed

The pull request is closed.

Walkthrough

The changes in this pull request involve updates to the AnswerFormRequest, OpenFormField, OpenTable, and OpenText components, introducing a new rich_text field type across various parts of the application. The AnswerFormRequest class has been modified to include validation for this new field type and to enhance data handling for select fields. The OpenFormField and OpenTable components have been updated to accommodate the rich_text type, ensuring proper mapping to input components. Additionally, the OpenText component now renders HTML content, improving its display capabilities.

Changes

File Path Change Summary
api/app/Http/Requests/AnswerFormRequest.php Added validation for rich_text type in getPropertyRules and refined handling for select fields. Updated prepareForValidation for data sanitization.
client/components/open/forms/OpenFormField.vue Enhanced getFieldComponents to include rich_text mapping to RichTextAreaInput. Updated inputProperties method for better field type handling.
client/components/open/tables/OpenTable.vue Added rich_text field type to fieldComponents, allowing the component to handle rich text data.
client/components/open/tables/components/OpenText.vue Changed rendering from <span> to <div> with v-html for displaying value prop as HTML.
client/data/blocks_types.json Introduced new block type rich_text with various properties for input configuration.
client/components/open/forms/fields/components/FieldOptions.vue Added <rich-text-area-input> for managing rich text fields and updated conditional rendering logic.

Possibly related PRs

  • Conditioned field validation #418: Modifications to validation logic in AnswerFormRequest.php that may relate to handling form properties.
  • fix select input options #550: Updates in FieldOptions.vue for handling select input options, connecting to refined logic for select fields.
  • Form editor v2 #579: Adjustments for handling various field types in OpenFormField.vue, aligning with enhancements for improved data handling.
  • Matrix Improvements #606: Changes in FieldOptions.vue regarding field options management may relate to overall improvements in data handling and validation.
  • Right to left mode #611: Addition of a new validation rule in UserFormRequest.php for layout handling, potentially connecting to validation enhancements.

Poem

In fields of rich text, we now play,
With inputs that sparkle, brightening the day.
From forms to tables, all in a row,
Our data now dances, with a vibrant glow!
So hop with delight, let the changes be known,
A world of rich text, where creativity's grown! 🐇✨


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Outside diff range and nitpick comments (3)
client/components/open/tables/components/OpenText.vue (1)

2-2: Consider semantic markup and accessibility

Using a <div> for text content might not be the most semantic choice and could affect screen readers' interpretation of the content structure.

Consider using more semantic elements based on the content type:

- <div v-html="value" />
+ <p v-html="value" />  <!-- for paragraphs -->

Or if it's meant to be inline text:

- <div v-html="value" />
+ <span v-html="value" />
client/components/open/forms/OpenFormField.vue (2)

Line range hint 332-397: Add rich text specific properties in inputProperties method

The inputProperties method should handle rich text specific configurations. Consider adding properties like:

  • Toolbar configuration
  • HTML sanitization options
  • Rich text specific character limits

Add the following case in the inputProperties method:

 } else if (field.type === 'text' && field.secret_input) {
   inputProperties.nativeType = 'password'
+} else if (field.type === 'rich_text') {
+  inputProperties.toolbarConfig = field.toolbar_config || 'basic'
+  inputProperties.sanitizeHtml = field.sanitize_html !== false
+  // Use existing maxCharLimit and showCharLimit properties
 }

Line range hint 44-53: Add rich text preview support in admin mode

The template should handle rich text preview in admin mode, similar to how 'nf-text' is handled.

Add rich text preview support:

 <template v-else>
+  <div
+    v-if="field.type === 'rich_text' && adminPreview"
+    :id="field.id"
+    :key="field.id"
+    class="nf-text w-full my-1.5 rich-text-preview"
+    :class="[getFieldAlignClasses(field)]"
+    v-html="field.content"
+  />
   <div
     v-if="field.type === 'nf-text' && field.content"
     :id="field.id"

Add CSS for rich text preview:

 <style lang='scss' scoped>
-.nf-text {
+.nf-text, .rich-text-preview {
   ol {
     @apply list-decimal list-inside;
   }
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 1a917cf and fbd58d1.

📒 Files selected for processing (5)
  • api/app/Http/Requests/AnswerFormRequest.php (1 hunks)
  • client/components/open/forms/OpenFormField.vue (1 hunks)
  • client/components/open/tables/OpenTable.vue (1 hunks)
  • client/components/open/tables/components/OpenText.vue (1 hunks)
  • client/data/blocks_types.json (1 hunks)
🔇 Additional comments (3)
client/data/blocks_types.json (2)

11-19: Good placement of the new block type.

The rich_text block is appropriately placed next to the regular text input block, maintaining a logical grouping of related input types.


11-19: LGTM! Configuration looks consistent.

The new rich_text block type follows the established pattern and includes all required properties. The color scheme matches the text input block, maintaining visual consistency.

Let's verify the integration points mentioned in the summary:

✅ Verification successful

Integration verified and properly implemented

The verification confirms that the rich_text block type is correctly integrated:

  • RichTextAreaInput component exists and is properly implemented with Quill editor integration
  • OpenFormField correctly maps the rich_text type to RichTextAreaInput component
  • Component includes proper styling, error handling, and accessibility features

The only missing verification is the OpenText HTML rendering, but since this is a new input type, it's expected to use the existing text rendering infrastructure.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the integration of rich_text type across components

# Check if RichTextAreaInput component exists
echo "Checking for RichTextAreaInput component..."
fd -e vue RichTextAreaInput

# Verify OpenFormField integration
echo "Checking OpenFormField for rich_text handling..."
rg -A 5 "rich_text.*RichTextAreaInput" --type vue

# Verify AnswerFormRequest validation
echo "Checking validation rules..."
rg "rich_text.*getPropertyRules" --type php

# Verify OpenText HTML rendering
echo "Checking OpenText component..."
rg "v-html.*value" --type vue

Length of output: 610


Script:

#!/bin/bash
# Let's modify our search strategy to verify the integration points

# Check RichTextAreaInput component implementation
echo "=== Checking RichTextAreaInput component ==="
cat client/components/forms/RichTextAreaInput.client.vue

# Search for rich_text handling in components without file type restriction
echo -e "\n=== Checking OpenFormField integration ==="
rg "rich_text.*RichTextAreaInput"

# Search for rich_text validation rules without file type restriction
echo -e "\n=== Checking validation rules ==="
rg "rich_text.*getPropertyRules"

# Search for OpenText component rendering without file type restriction
echo -e "\n=== Checking OpenText component ==="
rg "OpenText.*v-html"

Length of output: 5010

client/components/open/tables/OpenTable.vue (1)

196-196: LGTM: Rich text field type addition follows existing patterns

The addition of rich_text field type using shallowRef(OpenText) is consistent with how other text-based fields are handled in the component.

<span>
{{ value }}
</span>
<div v-html="value" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security Risk: Potential XSS Vulnerability

Using v-html without sanitization exposes the application to Cross-Site Scripting (XSS) attacks. Malicious users could inject harmful scripts through the value prop.

Consider these solutions:

  1. Implement HTML sanitization using a library like DOMPurify:
<template>
-  <div v-html="value" />
+  <div v-html="sanitizedValue" />
</template>

<script>
+ import DOMPurify from 'dompurify'

export default {
  components: {},
  props: {
    value: {
      type: String,
      required: true,
    },
  },
+  computed: {
+    sanitizedValue() {
+      return DOMPurify.sanitize(this.value)
+    }
+  }
}
</script>
  1. Or if rich text is not needed, continue using text interpolation:
- <div v-html="value" />
+ <div>{{ value }}</div>

Committable suggestion skipped: line range outside the PR's diff.


💡 Codebase verification

Security concern: Unsanitized v-html usage detected

The codebase shows multiple instances of v-html directive usage without any visible HTML sanitization implementation. This includes user-generated content in forms, notifications, and templates, which could pose XSS security risks. Specific instances that need attention:

  • client/components/open/tables/components/OpenText.vue: Direct v-html binding of value
  • client/components/open/forms/OpenFormField.vue: Direct v-html binding of field.content
  • client/components/forms/validation/AlertError.vue: Direct v-html binding of error messages
  • client/pages/templates/[slug].vue: Direct v-html binding of template descriptions and answers

Recommendation: Implement HTML sanitization using a library like DOMPurify before rendering HTML content to prevent XSS attacks.

🔗 Analysis chain

Verify HTML sanitization implementation

Let's verify if HTML sanitization is implemented elsewhere in the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for HTML sanitization implementation
# Expected results: Find any existing sanitization logic or DOMPurify usage

# Check for DOMPurify or other sanitization libraries
rg -l "DOMPurify|sanitize|xss|dompurify" --type vue --type js

# Check for rich text related sanitization
ast-grep --pattern 'sanitize($$$)'

# Look for rich text processing logic
rg -A 5 "rich_text" --type vue --type js

Length of output: 197


Script:

#!/bin/bash
# Let's try a different approach to search for sanitization implementations

# Search for sanitization-related terms without file type restrictions
rg -l "DOMPurify|sanitize|xss|dompurify"

# Look for v-html directives to understand the pattern
rg "v-html"

# Search for any security-related utilities or helpers
rg -l "sanitizeHTML|escapeHTML|purifyHTML"

# Check package.json for any sanitization-related dependencies
cat package.json 2>/dev/null || true

Length of output: 1910

Comment on lines +11 to +19
"rich_text": {
"name": "rich_text",
"title": "Rich Text Input",
"icon": "i-heroicons-bars-3-20-solid",
"default_block_name": "Description",
"bg_class": "bg-blue-100",
"text_class": "text-blue-900",
"is_input": true
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Rich text implementation requires additional security measures

The codebase review reveals potential security concerns:

  1. The OpenText component uses v-html directly without sanitization:
<div v-html="value" />
  1. While Quill.js is used for rich text editing, there's no visible sanitization of content before storage or display.

Required actions:

  • Implement HTML sanitization before storing rich text content
  • Add sanitization when displaying content via v-html
  • Consider using DOMPurify or a similar library for sanitization

Recommended implementation:

  1. Add a sanitization library to package.json (e.g., DOMPurify)
  2. Sanitize content in OpenText component before rendering
  3. Add sanitization step in RichTextAreaInput before emitting values
🔗 Analysis chain

Verify security measures for rich text handling.

Since rich text content typically contains HTML and the OpenText component uses v-html (as mentioned in the summary), ensure that:

  1. Proper input sanitization is implemented
  2. HTML content is escaped appropriately
  3. XSS prevention measures are in place

Let's check for sanitization implementation:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for HTML sanitization implementation

# Look for sanitization libraries or implementations
echo "Checking for HTML sanitization..."
rg -l "sanitize|DOMPurify|xss|escapeHTML" --type js --type vue

# Check for security-related comments or documentation
echo "Checking for security documentation..."
rg "XSS|sanitization|security" --type js --type vue

Length of output: 338


Script:

#!/bin/bash
# Description: Check for HTML sanitization implementation with correct file types

# Look for sanitization libraries or implementations
echo "Checking for HTML sanitization..."
rg -l "sanitize|DOMPurify|xss|escapeHTML"

# Search for rich text related components and their implementations
echo -e "\nChecking rich text components..."
fd -e vue -e js . | xargs rg -l "v-html|rich.*text|RichText"

# Check package.json for security-related dependencies
echo -e "\nChecking package dependencies..."
find . -name "package.json" -exec cat {} \;

Length of output: 5129


Script:

#!/bin/bash
# Let's examine the rich text implementation specifically

# Check OpenText component implementation
echo "Checking OpenText component implementation..."
cat client/components/open/tables/components/OpenText.vue

# Check RichTextAreaInput implementation
echo -e "\nChecking RichTextAreaInput implementation..."
cat client/components/forms/RichTextAreaInput.client.vue

# Look for Quill.js configuration (since it's in dependencies)
echo -e "\nChecking for Quill.js configuration..."
rg "Quill|quill" --type vue --type js

Length of output: 5068

@@ -167,6 +167,7 @@ private function getPropertyRules($property): array
{
switch ($property['type']) {
case 'text':
case 'rich_text':
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Rich text configuration needs to be documented and standardized

The codebase shows:

  1. Frontend uses Quill editor with basic formatting options (headers, toolbar)
  2. No explicit HTML sanitization rules found in the backend
  3. No shared configuration between frontend and backend

Consider:

  • Document allowed HTML tags and attributes in a central config file
  • Add HTML sanitization rules in the backend
  • Ensure frontend toolbar options match the allowed HTML tags
  • Add frontend validation to match backend rules

Locations needing attention:

  • client/components/forms/RichTextAreaInput.client.vue: Add documentation for Quill configuration
  • api/app/Http/Requests/AnswerFormRequest.php: Add HTML sanitization rules for rich text fields
🔗 Analysis chain

Document rich text validation rules for frontend components

Since this is part of a larger rich text feature implementation spanning multiple components (OpenFormField, OpenTable, OpenText), it's important to ensure consistent handling of rich text content.

Consider:

  1. Creating a shared configuration for allowed HTML tags/attributes that can be used by both frontend and backend validation
  2. Documenting the rich text validation rules in a central location
  3. Adding frontend validation that mirrors these backend rules to provide immediate feedback to users

Let's check for any existing rich text validation documentation or configuration:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Look for rich text related documentation or configuration
fd -e md -e json -e php -e js -e ts -e vue . | xargs rg -l "rich.?text"

Length of output: 848


Script:

#!/bin/bash
# Check content of relevant files for existing validation rules or configuration
echo "=== Checking block types configuration ==="
cat client/data/blocks_types.json

echo -e "\n=== Checking OpenFormField rich text validation ==="
rg -A 10 "rich.?text" client/components/open/forms/OpenFormField.vue

echo -e "\n=== Checking backend validation rules ==="
rg -A 10 "rich.?text" api/app/Http/Requests/AnswerFormRequest.php

Length of output: 6214


Script:

#!/bin/bash
# Check for rich text editor component and its configuration
echo "=== Checking RichTextAreaInput component ==="
fd -e vue -e js -e ts . | xargs rg -l "RichTextAreaInput"

echo -e "\n=== Checking for HTML sanitization or validation rules ==="
rg -i "sanitize|allowedTags|html.?tags" --type ts --type js --type vue --type php

Length of output: 540


Script:

#!/bin/bash
# Check the rich text editor component implementation
echo "=== Checking RichTextAreaInput implementation ==="
cat client/components/forms/RichTextAreaInput.client.vue

echo -e "\n=== Checking for HTML sanitization with correct file type ==="
rg -i "sanitize|allowedTags|html.?tags" 

Length of output: 144583


Script:

#!/bin/bash
# Check for rich text editor configuration in the frontend
echo "=== Checking rich text editor configuration ==="
rg -A 5 "quillOptions" client/components/forms/RichTextAreaInput.client.vue

echo -e "\n=== Checking for HTML sanitization in backend ==="
rg -A 5 "rich_text.*sanitize" api/app/Http/Requests/AnswerFormRequest.php

Length of output: 678


💡 Codebase verification

⚠️ Potential issue

Based on the findings from our searches, I can now provide a final response:

Rich text input requires HTML purification

The codebase has HTML purification capabilities through a configured HTML Purifier (api/config/purify.php), but it's not being applied to rich text input. The current validation rule of ['string'] for rich text is insufficient.

 case 'rich_text':
-    return ['string'];
+    return [
+        'string',
+        function ($attribute, $value, $fail) {
+            $purified = clean($value); // Uses the configured HTML Purifier
+            if ($purified !== $value) {
+                $fail('The '.$attribute.' contains disallowed HTML content.');
+            }
+        }
+    ];

The HTML Purifier is already configured with safe defaults in config/purify.php:

  • Allowed HTML tags and attributes are restricted
  • Nofollow links are enforced
  • Target blank/noreferrer/noopener security attributes are enabled
  • Custom HTML5 definitions are supported
🔗 Analysis chain

Add security measures for rich text input validation

The current validation rule of ['string'] for rich text input may be insufficient to prevent security vulnerabilities like XSS attacks. Rich text input typically contains HTML markup that requires careful sanitization.

Consider implementing these security measures:

 case 'rich_text':
-    return ['string'];
+    return [
+        'string',
+        'max:10000', // Adjust max length as needed
+        function ($attribute, $value, $fail) {
+            // Use HTML Purifier or similar library
+            $clean = clean($value, [
+                'allowed_tags' => ['p', 'br', 'strong', 'em', 'u', 'ul', 'ol', 'li'],
+                'allowed_attributes' => ['href', 'title', 'target']
+            ]);
+            if ($clean !== $value) {
+                $fail('The '.$attribute.' contains disallowed HTML tags or attributes.');
+            }
+        }
+    ];

Let's check if HTML purifier or similar sanitization libraries are already available in the project:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for HTML sanitization libraries in composer.json
rg -A 5 "purifier|sanitize|clean" composer.json

# Check for any existing HTML sanitization usage
rg -A 5 "purifier|sanitize|clean|xss" app/

Length of output: 193


Script:

#!/bin/bash
# Let's first locate the composer.json file and the app directory
fd composer.json

# Find the Laravel app directory which might be in different locations
fd -t d "^app$"

# Let's also check for any sanitization-related code in the entire codebase
rg -i "sanitize|purify|clean|xss" 

# Check for HTML-related validation rules
rg -i "html|allowedTags|strip_tags" 

Length of output: 131154


Script:

#!/bin/bash
# Let's check for any HTML/rich text validation or sanitization in Laravel validation rules
rg -i "sanitize|purify|clean|html|allowedTags|strip_tags" api/app/Http/Requests/

# Check for any HTML sanitization packages in composer.json
rg -i "purifier|sanitize|clean|html" api/composer.json

# Check for any rich text validation or sanitization in the codebase
rg -i "rich_text.*validation|rich_text.*sanitize" api/

Length of output: 400


Script:

#!/bin/bash
# Let's check the context around rich_text case in AnswerFormRequest.php
rg -B 5 -A 5 "case 'rich_text'" api/app/Http/Requests/AnswerFormRequest.php

# Check if there are any other rich text related validations or configurations
rg -i "rich.?text" api/

# Check for any HTML validation rules in Laravel config
rg -i "html|validation" api/config/

Length of output: 2820


Script:

#!/bin/bash
# Let's check the HTML purifier service implementation
rg -A 10 "class OpenFormsHtmlDefinition" api/app/Service/HtmlPurifier/OpenFormsHtmlDefinition.php

# Check if there's any global middleware that handles HTML purification
rg -l "purify|sanitize|clean" api/app/Http/Middleware/

# Check if the purifier is used in form submission processing
rg -B 5 -A 5 "purify|sanitize|clean" api/app/Jobs/Form/StoreFormSubmissionJob.php

Length of output: 767

@@ -193,6 +193,7 @@ export default {
rafId: null,
fieldComponents: {
text: shallowRef(OpenText),
rich_text: shallowRef(OpenText),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

HTML content is rendered without sanitization - Security Risk

The OpenText component directly renders HTML content using v-html without any sanitization, which poses a significant XSS security risk. The raw HTML content from the value prop is rendered directly into the DOM.

Required changes:

  • Implement HTML sanitization using a library like DOMPurify or sanitize-html before rendering content
  • Add the sanitization step in the component's computed property or method

Example implementation:

<template>
  <div v-html="sanitizedValue" />
</template>

<script>
import DOMPurify from 'dompurify'

export default {
  computed: {
    sanitizedValue() {
      return DOMPurify.sanitize(this.value)
    }
  }
}
</script>
🔗 Analysis chain

Verify HTML sanitization for rich text content

Since the OpenText component now renders HTML content (as per the AI summary), ensure that proper HTML sanitization is implemented to prevent XSS attacks.

Let's verify the sanitization implementation:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for sanitization implementation in OpenText component
ast-grep --pattern 'v-html="$_"' 

# Search for any HTML sanitization libraries
rg -l "sanitize|DOMPurify|xss|sanitizeHtml" --type vue

Length of output: 119


Script:

#!/bin/bash
# Search for OpenText component implementation
fd OpenText --type f --exec cat {}

# Search for sanitization patterns with ripgrep
rg -i "sanitize|DOMPurify|xss|sanitizeHtml|v-html"

# Search for v-html directive usage in vue files
fd "\.vue$" --exec cat {} | rg -i "v-html"

Length of output: 140064


Script:

#!/bin/bash
# Search for OpenText component implementation and any sanitization
fd OpenText --type f --exec grep -l "sanitize\|DOMPurify\|xss\|sanitizeHtml\|v-html" {} \;

# Search for any HTML sanitization libraries in package.json
fd "package.json" --type f --exec cat {} \;

Length of output: 3210


Script:

#!/bin/bash
# Let's examine the content of OpenText.vue to check for any sanitization implementation
cat ./client/components/open/tables/components/OpenText.vue

Length of output: 244

@@ -210,6 +210,7 @@ export default {
}
return {
text: 'TextInput',
rich_text: 'RichTextAreaInput',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Missing import and component registration for RichTextAreaInput

The RichTextAreaInput component exists in the codebase but is not properly imported or registered in OpenFormField.vue. Please add:

  • Import statement for RichTextAreaInput from '../forms/RichTextAreaInput.client.vue'
  • Register it in the components section
🔗 Analysis chain

Verify RichTextAreaInput component availability

While the mapping is correct, we should ensure the RichTextAreaInput component is properly imported and registered.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for RichTextAreaInput component definition and imports
rg -l "RichTextAreaInput"

Length of output: 164


Script:

#!/bin/bash
# Check if RichTextAreaInput is properly imported in OpenFormField.vue
rg -A 5 "import.*RichTextAreaInput" client/components/open/forms/OpenFormField.vue

# Also check component registration in OpenFormField.vue
rg "components:\s*{[^}]*RichTextAreaInput[^}]*}" client/components/open/forms/OpenFormField.vue

Length of output: 323


Script:

#!/bin/bash
# Check for imports and component registration with simpler patterns
rg "import.*RichTextAreaInput" client/components/open/forms/OpenFormField.vue

# Look for components section
rg -A 10 "components:" client/components/open/forms/OpenFormField.vue

# Also check the actual RichTextAreaInput component file
head -n 20 client/components/forms/RichTextAreaInput.client.vue

Length of output: 928


💡 Codebase verification

Rich text input requires XSS protection implementation

The codebase analysis reveals that the RichTextAreaInput component uses Quill.js editor without explicit HTML sanitization. While Quill provides some built-in security features, additional sanitization measures are recommended:

  • Add HTML sanitization library (like DOMPurify) in client/components/forms/RichTextAreaInput.client.vue
  • Sanitize HTML content before emitting the update:modelValue event in client/components/forms/components/QuillyEditor.vue
🔗 Analysis chain

Verify XSS protection for rich text input

Rich text input can be vulnerable to XSS attacks. Ensure proper HTML sanitization is implemented in the RichTextAreaInput component.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for HTML sanitization implementation
rg -A 5 "sanitize|xss|dompurify|sanitization" --type vue

Length of output: 86


Script:

#!/bin/bash
# Search for RichTextAreaInput component and its implementation
fd -e js -e vue RichTextAreaInput

# Search for sanitization patterns in all files
rg -l "sanitize|xss|dompurify|sanitization"

# Get content of RichTextAreaInput component if found
fd -e js -e vue RichTextAreaInput -x cat {}

Length of output: 4875


Script:

#!/bin/bash
# Search for QuillyEditor component implementation
cat client/components/forms/components/QuillyEditor.vue

# Search for any HTML sanitization in dependencies or configuration
rg -l "quill.*sanitize" 

# Check package.json for sanitization-related dependencies
cat package.json

Length of output: 2463

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)
client/components/open/forms/fields/components/FieldOptions.vue (1)

459-459: Consider adding default field values and character limit controls for rich text.

The rich_text type might benefit from having:

  1. Default field values in the setDefaultFieldValues method
  2. Character limit controls like other text-based fields

Consider applying this diff:

 setDefaultFieldValues() {
   const defaultFieldValues = {
     slider: {
       slider_min_value: 0,
       slider_max_value: 100,
       slider_step_value: 1
     },
+    rich_text: {
+      max_char_limit: 5000
+    },
     text: {
       multi_lines: false,
       max_char_limit: 2000
     },
     // ... other field types
   }
   // ... rest of the method
 }

And update the character limit control condition:

-<template v-if="['text', 'number', 'url', 'email'].includes(field.type)">
+<template v-if="['text', 'number', 'url', 'email', 'rich_text'].includes(field.type)">
   <text-input
     name="max_char_limit"
     native-type="number"
     :min="1"
     :form="field"
     label="Max character limit"
     :required="false"
     @update:model-value="onFieldMaxCharLimitChange"
   />
   // ... rest of the template
 </template>
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between fbd58d1 and a3ee265.

📒 Files selected for processing (1)
  • client/components/open/forms/fields/components/FieldOptions.vue (1 hunks)
🔇 Additional comments (1)
client/components/open/forms/fields/components/FieldOptions.vue (1)

451-457: LGTM! Rich text pre-fill input integration looks good.

The integration of the rich-text-area-input component for handling pre-filled values follows the existing pattern and is properly conditioned.

Copy link
Owner

@JhumanJ JhumanJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the back-end, once validated we need to sanitize with purify the content of this field to avoid injections of code, please add this.
Can probably be done in prepareForValidation in answerformrequest

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)
api/app/Http/Requests/AnswerFormRequest.php (1)

280-282: Consider adding security event logging

While the HTML sanitization is correctly implemented, it would be beneficial to log cases where malicious content is detected.

 if ($property['type'] === 'rich_text' && $receivedValue) {
+    $sanitized = Purify::clean($receivedValue);
+    if ($sanitized !== $receivedValue) {
+        \Log::warning('Potentially malicious content detected in rich text input', [
+            'form_id' => $this->form->id,
+            'field_id' => $property['id'],
+            'ip' => request()->ip()
+        ]);
+    }
-    $mergeData[$property['id']] = Purify::clean($receivedValue);
+    $mergeData[$property['id']] = $sanitized;
 }
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a3ee265 and 965c5f2.

📒 Files selected for processing (1)
  • api/app/Http/Requests/AnswerFormRequest.php (3 hunks)
🔇 Additional comments (3)
api/app/Http/Requests/AnswerFormRequest.php (3)

17-17: LGTM: Purify facade import

The import of the Purify facade is appropriate for HTML sanitization of rich text input.


171-173: ⚠️ Potential issue

Add comprehensive validation rules for rich text input

The current validation rule ['string'] is insufficient for rich text input. This could lead to security vulnerabilities like XSS attacks.

Add validation rules to:

  1. Limit the content length
  2. Validate HTML structure
  3. Ensure content meets security requirements
 case 'rich_text':
-    return ['string'];
+    return [
+        'string',
+        'max:10000', // Adjust max length as needed
+        function ($attribute, $value, $fail) {
+            $purified = Purify::clean($value);
+            if ($purified !== $value) {
+                $fail("The {$attribute} contains disallowed HTML content.");
+            }
+        }
+    ];

17-17: Verify HTML Purifier configuration

Let's ensure the HTML Purifier is configured with appropriate security settings.

Also applies to: 280-282

✅ Verification successful

Let me check the custom HTML definition implementation to ensure it's secure.


HTML Purifier configuration is properly secured

The HTML Purifier configuration is well-implemented with appropriate security measures:

  • Uses strict HTML tag whitelist with specific allowed attributes
  • Enables security features for links (nofollow, noreferrer, noopener)
  • Restricts CSS properties to safe styling attributes
  • Custom HTML definition only adds necessary mention-related attributes to span elements
  • Builds upon the secure HTML5 definition base
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check HTML Purifier configuration
echo "=== Checking HTML Purifier config ==="
cat api/config/purify.php 2>/dev/null || echo "Warning: HTML Purifier config not found"

# Check if there are any custom HTML definitions
echo -e "\n=== Checking custom HTML definitions ==="
fd -e php . | xargs rg -l "HTMLPurifier_HTMLDefinition"

Length of output: 5224


Script:

#!/bin/bash
# Check the custom HTML definition implementation
echo "=== Checking OpenFormsHtmlDefinition implementation ==="
cat api/app/Service/HtmlPurifier/OpenFormsHtmlDefinition.php

Length of output: 895

@JhumanJ JhumanJ merged commit 13c40f6 into main Nov 28, 2024
5 checks passed
@JhumanJ JhumanJ deleted the 147a6-rich-text-input branch November 28, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants