EREGCSC-2363 -- Prevent frontend from interpreting HTML characters (#…

…1502) * chore: update package locks * feat: add DOMPurify library and use with all v-html directives * feat: add custom directive * chore: remove dompurify where it is not needed * docs: add comment/link for custom directive docs
Enterprise-CMCS · Dec 23, 2024 · 6ba08d6 · 6ba08d6
1 parent 85c9d3f
commit 6ba08d6
Show file tree

Hide file tree

Showing 11 changed files with 1,982 additions and 164 deletions.
diff --git a/solution/ui/regulations/directives/sanitizeHtml.js b/solution/ui/regulations/directives/sanitizeHtml.js
@@ -0,0 +1,10 @@
+import DOMPurify from "dompurify";
+
+// https://vuejs.org/guide/reusability/custom-directives#function-shorthand
+// It's common for a custom directive to have the same behavior for mounted and updated,
+// with no need for the other hooks. In such cases we can define the directive as a function:
+const SanitizeHtml = (el, binding) => {
+    el.innerHTML = DOMPurify.sanitize(binding.value);
+};
+
+export default SanitizeHtml;