chore(documents): Allow SVG in HTML sanitation

[thordurhhh]

What

Allow SVG in HTML sanitation

Why

Organizations that send to the inbox, should be allowed to send HTML including SVG.

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Enhanced HTML sanitization to support a broader range of SVG tags and attributes
  • Improved content processing for documents with SVG elements

• Improvements

  • Expanded allowed HTML content validation
  • More flexible handling of SVG elements in document mapping

[coderabbitai]

Walkthrough

The pull request introduces enhancements to HTML content sanitization in the documents library. The changes expand support for SVG elements by defining a comprehensive list of allowed SVG tags and attributes. The modifications are implemented across two files: document.dto.ts and htmlConfig.ts, focusing on improving the flexibility of HTML and SVG content processing while maintaining sanitization standards.

Changes

File	Change Summary
libs/clients/documents-v2/src/utils/htmlConfig.ts	- Added svgTags constant with list of SVG tags - Added svgAttributes constant with SVG attributes - Exported svgAttr object mapping tags to allowed attributes
libs/clients/documents-v2/src/lib/dto/document.dto.ts	- Extended allowedTags to include SVG tags - Updated allowedAttributes to incorporate SVG attributes

Sequence Diagram

sequenceDiagram
    participant Input as HTML/SVG Content
    participant Sanitizer as Content Sanitizer
    participant Config as HTML Configuration
    
    Input->>Config: Request allowed tags/attributes
    Config-->>Sanitizer: Provide SVG tags and attributes
    Sanitizer->>Sanitizer: Validate and sanitize content
    Sanitizer->>Input: Return sanitized HTML/SVG

Loading

Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

libs/clients/documents-v2/src/utils/htmlConfig.ts (2)

24-43: Add TypeScript types and consider additional SVG attributes

Consider the following improvements:

1. Add TypeScript type definitions for better type safety:

type SvgAttribute = typeof svgAttributes[number];

2. Consider adding standard SVG attributes:
   • xmlns for XML namespace
   • version for SVG version

---

45-58: Enhance type safety and consider attribute restrictions

The current implementation allows all attributes for most tags, which might be too permissive. Consider:

1. Adding TypeScript interfaces for better type safety:

interface SvgAttributeMap {
  [key: string]: readonly string[];
}

2. Restricting attributes per tag based on SVG specification

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc196a2 and cf9ab0c.

📒 Files selected for processing (2)

• libs/clients/documents-v2/src/lib/dto/document.dto.ts (2 hunks)
• libs/clients/documents-v2/src/utils/htmlConfig.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

libs/clients/documents-v2/src/lib/dto/document.dto.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/clients/documents-v2/src/utils/htmlConfig.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: prepare

🔇 Additional comments (1)

libs/clients/documents-v2/src/utils/htmlConfig.ts (1)

3-22: Review security implications of SVG tags and add documentation tags

While the SVG tags list is comprehensive, there are some security considerations:

1. The foreignObject tag can potentially embed arbitrary HTML content
2. The use tag with xlink:href can reference external content

Consider:

• Adding documentation tags like title and desc for accessibility
• Documenting security implications of allowing these tags

Run this script to check for potential SVG-based XSS vectors in the codebase:

✅ Verification successful

SVG configuration is secure, documentation can be improved

The security concerns about SVG tags are properly addressed:

• HTML content in foreignObject is sanitized by sanitize-html
• use tag is safely restricted to only xlink:href attribute
• No direct SVG injection points found in the codebase

Consider adding documentation about security measures and adding accessibility tags (title, desc) in a separate PR.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for potentially unsafe SVG usage
rg -i "foreignObject|xlink:href" --type ts

Length of output: 252

---

Script:

#!/bin/bash
# Get the complete htmlConfig.ts content
cat libs/clients/documents-v2/src/utils/htmlConfig.ts

# Search for any sanitization usage
rg -A 5 -B 5 "sanitize|DOMPurify" --type ts

Length of output: 66926

---

Script:

#!/bin/bash
# Search for potential SVG injection points or raw SVG usage
rg -i "innerHTML|dangerouslySetInnerHTML|createElementNS.*svg" --type ts

Length of output: 2253

[thorkellmani]

LGTM

[datadog-island-is]

Datadog Report

Branch report: documents/html-sanitize-svg
Commit report: f951fd7
Test service: api

✅ 0 Failed, 4 Passed, 0 Skipped, 2.92s Total Time
➡️ Test Sessions change in coverage: 1 no change

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 35.61%. Comparing base (fc196a2) to head (a18d069).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #17523   +/-   ##
=======================================
  Coverage   35.61%   35.61%           
=======================================
  Files        7015     7015           
  Lines      150337   150333    -4     
  Branches    42980    42979    -1     
=======================================
+ Hits        53540    53543    +3     
+ Misses      96797    96790    -7     

Flag	Coverage Δ
api	3.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 3 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7e8309f...a18d069. Read the comment docs.