Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/assets/javascripts/vue_shared/directives/safe_html.js
diff options
context:
space:
mode:
Diffstat (limited to 'app/assets/javascripts/vue_shared/directives/safe_html.js')
-rw-r--r--app/assets/javascripts/vue_shared/directives/safe_html.js25
1 files changed, 25 insertions, 0 deletions
diff --git a/app/assets/javascripts/vue_shared/directives/safe_html.js b/app/assets/javascripts/vue_shared/directives/safe_html.js
new file mode 100644
index 00000000000..450c7fc1bc5
--- /dev/null
+++ b/app/assets/javascripts/vue_shared/directives/safe_html.js
@@ -0,0 +1,25 @@
+import { sanitize } from '~/lib/dompurify';
+
+// Mitigate against future dompurify mXSS bypasses by
+// avoiding additional serialize/parse round trip.
+// See https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1782
+// and https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/2127
+// for more details.
+const DEFAULT_CONFIG = {
+ RETURN_DOM_FRAGMENT: true,
+};
+
+const transform = (el, binding) => {
+ if (binding.oldValue !== binding.value) {
+ const config = { ...DEFAULT_CONFIG, ...(binding.arg ?? {}) };
+
+ el.textContent = '';
+
+ el.appendChild(sanitize(binding.value, config));
+ }
+};
+
+export default {
+ bind: transform,
+ update: transform,
+};
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-09 09:07:46 +0300