DOMPurify inside Forge UI Kit

Hey,

as part of the task “sanitizing user input” I’m using the npm lib DOMPurify within Custom UI successfully.

I tried to do the same for Forge UI Kit.
The simple approach (just install DOMPurify) doesn’t work. (" … sanitizer is not a function …").
Sure. DOMPurify needs a browser to work on. So I tried 2 options:

  1. Isomorphic DOMPurify
    First I thought the code will run, but the deploy stage led to the error:
    " Error thrown in the snapshot context.
    App code snapshot error: Snapshot error occurred: Error: webpack_require (…) is not a function"

  2. DOMPurify + jsdom
    This led to the same snapshot error.

So my questions to you as experienced guys & Atlassian staff:

  • Do I need the sanatizing of user input in Forge UI Kit at all? Or is it already built-in?
    (I couldn’t find any clear documentation about this. Especially the difference between Forge UI Kit and Custom UI related to this topic)
  • If I need to do it:
    o Is there a workaround to my described problems?
    o Are there other options?

Thanks a lot!!

5 Likes

Same here when using “jsdom” alone too. Exactly the same error when using forge tunnel.

If I add this to manifest.yml:

app:
  runtime:
    snapshots: false

then I don’t get the error in deployment time but in runtime. :frowning:

1 Like

Hi @FranzBinder,

I think the reason you aren’t able to use these types of libraries with Custom UI but not Forge UI Kit is that there is no DOM in Forge UI Kit. Or rather, you aren’t able to interact with the DOM when using Forge UI Kit.

You only give Atlassian your JSX that tells them what Forge UI Kit components you want to use, what click handlers they should have, and so on. Atlassian then takes care of rendering that into HTML. But your code is completely sandboxed and doesn’t run in the frontend. That’s also why you for example can’t use CSS, alert, or any other kind of browser functionality with Forge UI Kit.

If you want to know more details I highly recommend watching this talk from AtlasCamp 2019 by @pstreule: Forge: Under the Hood - YouTube

Of course, it is still a good idea to sanitize user input. But if you actually manage to render HTML somehow (which is essentially what the libraries you want to use try to prevent, right?) that’s probably a security hole in Forge UI Kit which you should raise to Atlassian via their bug bounty program.

Cheers,
Sven

3 Likes

Thank you, Sven. In my case, I just wanted to use jsdom to create my own dom and parse an HTML document so that it can be published as the content of a Confluence page. For some reason, jsdom can’t be used. Now I’m using xmldom and it’s working pretty fine. :white_check_mark:

4 Likes

Thanks @sven.schatter for your detailed explanation why this approach isn’t going to work!
I assumed this somehow.

The reason why I was raising this are the necessary & understandable Atlassian demands to the developers written in the Shared responsibility model.:

I think I got a solution for Custom UI, but I’m still not sure if - and what exactly - I’m supposed to do for Forge UI Kit.

It’s pretty clear that a good and reliable security approach is helping all: customers, marketplace partners and Atlassian. Overall it will work better the easier and clearer it is for developers to fullfill the demands.

IMHO, what I’m missing is a clear and well documented specification from Atlassian how this should to done in Custom UI and Forge UI Kit. At best with examples and coding best practices. :wink:

1 Like