Skip to content

[docs-infra] Remove dangerouslySetInnerHTML for ad description #46936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Janpot merged 1 commit into from
Sep 16, 2025
Merged

[docs-infra] Remove dangerouslySetInnerHTML for ad description #46936

Janpot merged 1 commit into from
Sep 16, 2025

Conversation

@Janpot
Copy link
Member

@Janpot Janpot commented Sep 15, 2025
edited by oliviertassinari
Loading

Avoid injecting unsanitized html from third party ad networks.

Credit goes to @Gyde04, thank you for reporting!

Preview https://deploy-preview-46936--material-ui.netlify.app/material-ui/react-button/

@mui-bot
Copy link

mui-bot commented Sep 15, 2025
edited
Loading

Netlify deploy preview

https://deploy-preview-46936--material-ui.netlify.app/

Bundle size report

Bundle Parsed size Gzip size
@mui/material 0B(0.00%) 0B(0.00%)
@mui/lab 0B(0.00%) 0B(0.00%)
@mui/system 0B(0.00%) 0B(0.00%)
@mui/utils 0B(0.00%) 0B(0.00%)

Details of bundle changes

Generated by 🚫 dangerJS against 1c72895

@Janpot Janpot added security Pull requests that address a security vulnerability. scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd). labels Sep 15, 2025
@Janpot Janpot changed the title [code-infra] Remove dangerouslySetInnerHTML for ad description [code-infra] Remove dangerouslySetInnerHTML for ad description Sep 15, 2025
@Janpot Janpot marked this pull request as ready for review September 15, 2025 12:07
@oliviertassinari oliviertassinari added the docs Improvements or additions to the documentation. label Sep 15, 2025
oliviertassinari
oliviertassinari reviewed Sep 15, 2025
View reviewed changes
Copy link
Member

@oliviertassinari oliviertassinari left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't expect regressions from those changes; it seems OK.

On the security part, this seems far-fetched, we grant all permissions to https://cdn.carbonads.com/carbon.js by loading this as a script, which uses .innerHTML to inject the description, so they already have to sanitize the ad description, so this should make no difference.

However, forcing strings enforces consistency in the ad layout, which seems like a positive UI change.

@oliviertassinari oliviertassinari changed the title [code-infra] Remove dangerouslySetInnerHTML for ad description [docs-infra] Remove dangerouslySetInnerHTML for ad description Sep 15, 2025
@oliviertassinari oliviertassinari added scope: docs-infra Involves the docs-infra product (https://www.notion.so/mui-org/b9f676062eb94747b6768209f7751305). and removed scope: code-infra Involves the code-infra product (https://www.notion.so/mui-org/5562c14178aa42af97bc1fa5114000cd). labels Sep 15, 2025
@Janpot
Copy link
Member Author

Janpot commented Sep 16, 2025
edited
Loading

On the security part, this seems far-fetched, we grant all permissions to https://cdn.carbonads.com/carbon.js by loading this as a script, which uses .innerHTML to inject the description, so they already have to sanitize the ad description, so this should make no difference.

We're loading these ads from https://srv.buysellads.com/. I think this makes some difference, we halved the amount of ad domains that can inject code in our pages.

material-ui/packages/mui-docs/src/Ad/AdCarbon.tsx

Line 86 in 4a24067

response = await fetch('https://srv.buysellads.com/ads/CE7DC23W.json');

@Janpot Janpot merged commit e9183d0 into mui:master Sep 16, 2025
22 of 23 checks passed
@oliviertassinari
Copy link
Member

oliviertassinari commented Sep 16, 2025
edited
Loading

We're loading these ads from https://srv.buysellads.com/

For context, srv.buysellads.com and cdn.carbonads.com are operated by the same product.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oliviertassinari oliviertassinari oliviertassinari left review comments

@dav-is dav-is dav-is approved these changes

Assignees

No one assigned

Labels

docs Improvements or additions to the documentation. scope: docs-infra Involves the docs-infra product (https://www.notion.so/mui-org/b9f676062eb94747b6768209f7751305). security Pull requests that address a security vulnerability.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Janpot @mui-bot @oliviertassinari @dav-is