diff options
Diffstat (limited to 'app/assets/javascripts/vue_shared/directives/safe_html.js')
-rw-r--r-- | app/assets/javascripts/vue_shared/directives/safe_html.js | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/app/assets/javascripts/vue_shared/directives/safe_html.js b/app/assets/javascripts/vue_shared/directives/safe_html.js new file mode 100644 index 00000000000..450c7fc1bc5 --- /dev/null +++ b/app/assets/javascripts/vue_shared/directives/safe_html.js @@ -0,0 +1,25 @@ +import { sanitize } from '~/lib/dompurify'; + +// Mitigate against future dompurify mXSS bypasses by +// avoiding additional serialize/parse round trip. +// See https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1782 +// and https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/2127 +// for more details. +const DEFAULT_CONFIG = { + RETURN_DOM_FRAGMENT: true, +}; + +const transform = (el, binding) => { + if (binding.oldValue !== binding.value) { + const config = { ...DEFAULT_CONFIG, ...(binding.arg ?? {}) }; + + el.textContent = ''; + + el.appendChild(sanitize(binding.value, config)); + } +}; + +export default { + bind: transform, + update: transform, +}; |