Bug: No placeholder icon when safe app's logo cannot be loaded

[mmv08]

What it solves

Resolves safe-global/safe-react-apps#637 by rendering an img tag inside the sandboxed iframe for fetching safe apps icon (for more context see #1193)

thanks to @katspaugh for answering questions and suggesting script tag workaround

How this PR fixes it

It renders an img tag and attaches error event listener. It also allows scripts inside the iframe to define the error listener. Shouldn't be a security risk. Also it seems like scripts must be same-origin and cross origin ones have to be explicitly enabled

How to test it

1. Fetch an app with an erroring image (I don't know such app so i ran https://github.com/safe-global/safe-apps-sdk/tree/master/packages/safe-apps-test-app locally)

Screenshots

[github-actions]

Branch preview

✅ Deploy successful!

https://bug_safe_apps_placeholder_cion--webcore.review-web-core.5afe.dev

[mmv08]

a new cross-theme icon by Lila

[github-actions]

ESLint Summary View Full Report

Annotations are provided inline on the Files Changed tab. You can also see all annotations that were generated on the annotations page.

Type	Occurrences	Fixable
Errors	0	0
Warnings	0	0
Ignored	0	N/A

• Result: ✅ success
• Annotations: 0 total

---

^{Report generated by eslint-plus-action}

[katspaugh]

I would add style="display: block" to avoid a line underneath.

[mmv08]

What line? I didn't see anything unwanted in all browsers I tested (chrome, safari desktop, firefox)

[mmv08]

I remember you mentioned it in the slack convo but when working on it I didn't see a need for it

[katspaugh]

This line:

Inline elements such as img have a line-height that are bigger than the height of the image itself.

[katspaugh]

Doesn't really matter in this case tho, because the iframe itself is 40x40.

[katspaugh]

I would wrap url and alt in double quotes, and escape any double quotes in those strings. Otherwise, we have a classic XSS hole here.

[katspaugh]

Actually, I would hardcode smth like "app logo" in the alt tag. The name of the app is already on the card anyway.

[mmv08]

Good spot regarding xss. I've checked other platforms with lists to see how they implement alt attributes and seems like they don't lol (checked chrome web store, slack store)

[katspaugh]

Like I said, you also might want to escape dangerous symbols here. encodeURI(url) should do the trick.

[mmv08]

The url is validated at the fetch time and also browsers seem to be smart nowadays: https://security.stackexchange.com/questions/124840/xss-vectors-in-img-src-and-background-image-url

[mmv08]

Given we have all these safety things in place I think an additional check inside the component is redundant

[katspaugh]

It's not about fetching, you're inserting a string directly into HTML. It can close the tag and render a butt.

[mmv08]

Doesn't seem like a big security threat to me given that we validate the URL before and the amount of sandboxing we enforce on the iframe. But to get the pr through i added it

[katspaugh]

Have you tried this btw?
https://stackoverflow.com/a/980910/352796

[mmv08]

Have you tried this btw? https://stackoverflow.com/a/980910/352796

It seems to follow the CSP policy set in the app and doesn't allow loading from cross origin domains. If I understand correctly, an object tag can load arbitrary data and not only images, that's why it's enforced

[katspaugh]

Dunno if it's worth it just to show a placeholder for broken icons (it would be better to fix such icons quickly) but looks good. 👍

[JagoFigueroa]

Muchas gracias gentlemen, todo bueno 👍