javascript icon indicating copy to clipboard operation
javascript copied to clipboard
verified publisher icon clerk

chore(clerk-js): Remove unused fitTextInOneLine and textWidthForCurrentSize

Open zythosec opened this issue 1 year ago • 1 comments

Description

  • Removes fitTextInOneLine and textWidthForCurrentSize

textWidthForCurrentSize is vulnerable to XSS because text is set to hiddenTextContainer.innerHTML without sanitization. Fortunately this method is not invoked anywhere except from fitTextInOneLine (which is also not invoked anywhere). Instead of sanitizing the text I have opted to remove this unused code.

Checklist

  • [x] npm test runs as expected.
  • [x] npm run build runs as expected.
  • [ ] (If applicable) JSDoc comments have been added or updated for any package exports
  • [ ] (If applicable) Documentation has been updated

Type of change

  • [ ] 🐛 Bug fix
  • [ ] 🌟 New feature
  • [ ] 🔨 Breaking change
  • [x] 📖 Refactoring / dependency upgrade / documentation
  • [ ] other:

zythosec avatar Oct 25 '24 20:10 zythosec

🦋 Changeset detected

Latest commit: a7cb231f4374ba3a7d455f95a4521df5f31f5660

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/clerk-expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Oct 25 '24 20:10 changeset-bot[bot]