Merge pull request #18377 from mvdbeek/sanitize_form_element_form_err…

…or_v_html [24.0] Sanitize FormElement error messages
galaxyproject · Jun 11, 2024 · 794c8ab · 794c8ab
2 parents 96c9be3 + 4f5d813
commit 794c8ab
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/client/src/components/Form/FormElement.vue b/client/src/components/Form/FormElement.vue
@@ -3,9 +3,12 @@ import { library } from "@fortawesome/fontawesome-svg-core";
 import { faCaretSquareDown, faCaretSquareUp } from "@fortawesome/free-regular-svg-icons";
 import { faArrowsAltH, faExclamation, faTimes } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/vue-fontawesome";
+import { sanitize } from "dompurify";
 import type { ComputedRef } from "vue";
 import { computed, ref, useAttrs } from "vue";
 
+import { linkify } from "@/utils/utils";
+
 import type { FormParameterAttributes, FormParameterTypes, FormParameterValue } from "./parameterTypes";
 
 import FormBoolean from "./Elements/FormBoolean.vue";
@@ -181,7 +184,9 @@ const isOptional = computed(() => !isRequired.value && attrs.value["optional"] !
         :class="{ alert: hasAlert, 'alert-info': hasAlert }">
         <div v-if="hasAlert" class="ui-form-error">
             <FontAwesomeIcon class="mr-1" icon="fa-exclamation" />
-            <span class="ui-form-error-text" v-html="props.error || props.warning" />
+            <span
+                class="ui-form-error-text"
+                v-html="linkify(sanitize(props.error || props.warning, { USE_PROFILES: { html: true } }))" />
         </div>
 
         <div class="ui-form-title">