DN-26: Moved HTML sanitizing to Vue component for security reasons.

conterra · Apr 24, 2024 · 7b1280b · 7b1280b
1 parent bf4988f
commit 7b1280b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/src/main/js/bundles/dn_welcome/WelcomeWidget.ts.vue b/src/main/js/bundles/dn_welcome/WelcomeWidget.ts.vue
@@ -46,9 +46,9 @@
                         :src="infoTextUrl"
                     />
                     <div
-                        v-if="infoText"
+                        v-if="sanitizedInfoText"
                         class="dn-welcome-widget__info-text"
-                        v-html="infoText"
+                        v-html="sanitizedInfoText"
                     />
                 </v-container>
             </v-card-title>
@@ -87,6 +87,7 @@
 
 <script lang="ts">
     import Vue from "apprt-vue/Vue";
+    import {DOMPurify} from "dompurify-bundle";
 
     export default Vue.extend({
         data: function (): any {
@@ -104,6 +105,11 @@
                 imageUrl: "",
                 imageHeight: "200px"
             };
+        },
+        computed: {
+            sanitizedInfoText() {
+                return DOMPurify.sanitize(this.infoText, {USE_PROFILES: {html: true}});
+            }
         }
     });
 </script>
diff --git a/src/main/js/bundles/dn_welcome/WelcomeWidgetFactory.ts b/src/main/js/bundles/dn_welcome/WelcomeWidgetFactory.ts
@@ -17,7 +17,6 @@
 import WelcomeWidget from "./WelcomeWidget.ts.vue";
 import Vue from "apprt-vue/Vue";
 import VueDijit from "apprt-vue/VueDijit";
-import {DOMPurify} from "dompurify-bundle";
 import Config from "./Config";
 
 export default class WelcomeWidgetFactory {
@@ -45,7 +44,7 @@ export default class WelcomeWidgetFactory {
         const config = this.#config;
         const vm = this.#widget = new Vue(WelcomeWidget);
         vm.heading = config.heading;
-        vm.infoText = this.#sanitizeInfoText(config.infoText);
+        vm.infoText = config.infoText;
         vm.infoTextUrl = config.infoTextUrl;
         vm.showButton = config.showButton;
         vm.buttonText = config.buttonText;
@@ -74,10 +73,6 @@ export default class WelcomeWidgetFactory {
         }
     }
 
-    #sanitizeInfoText(infotext: string): string {
-        return DOMPurify.sanitize(infotext);
-    }
-
     set config(config: Config) {
         this.#config = config;
     }