diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-18 09:10:50 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-18 09:10:50 +0300 |
| commit | c2f65d6e6f569415fe60e40aec5be6458d6a99bb (patch) | |
| tree | 133300137ca292ecce5036d7952d29134643d476 /doc | |
| parent | a3633566291bf9889f2e03e7e2d472f5bc5a5c9f (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/development/fe_guide/security.md | 2 | ||||
| -rw-r--r-- | doc/development/secure_coding_guidelines.md | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/doc/development/fe_guide/security.md b/doc/development/fe_guide/security.md index 4b7ce6d11e3..d578449e578 100644 --- a/doc/development/fe_guide/security.md +++ b/doc/development/fe_guide/security.md @@ -88,7 +88,7 @@ readability. If you need to output raw HTML, you should sanitize it. -If you are using Vue, you can use the[`v-safe-html` directive](https://gitlab-org.gitlab.io/gitlab-ui/?path=/story/directives-safe-html-directive--default) from GitLab UI. +If you are using Vue, you can use the[`v-safe-html` directive](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/vue_shared/directives/safe_html.js). For other use cases, wrap a preconfigured version of [`dompurify`](https://www.npmjs.com/package/dompurify) that also allows the icons to be rendered: diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index c102e99720f..e99926663dd 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -410,7 +410,7 @@ References: #### XSS mitigation and prevention in JavaScript and Vue - When updating the content of an HTML element using JavaScript, mark user-controlled values as `textContent` or `nodeValue` instead of `innerHTML`. -- Avoid using `v-html` with user-controlled data, use [`v-safe-html`](https://gitlab-org.gitlab.io/gitlab-ui/?path=/story/directives-safe-html-directive--default) instead. +- Avoid using `v-html` with user-controlled data, use [`v-safe-html`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/vue_shared/directives/safe_html.js) instead. - Render unsafe or unsanitized content using [`dompurify`](fe_guide/security.md#sanitize-html-output). - Consider using [`gl-sprintf`](../../ee/development/i18n/externalization.md#interpolation) to interpolate translated strings securely. - Avoid `__()` with translations that contain user-controlled values. |