From 4f5d81325eb817cbe865077222d64e82a568bab4 Mon Sep 17 00:00:00 2001 From: mvdbeek Date: Tue, 11 Jun 2024 19:35:20 +0200 Subject: [PATCH] Sanitize FormElement error messages v-html was introduced in https://github.com/galaxyproject/galaxy/commit/6682ca60fe64087a15d3e69c68a2054ca950d538 to show bold items. `FormElement` however is used so widely that it's hard to keep track on whether or not user-modifiable fields are shown, so better safe than sorry. --- client/src/components/Form/FormElement.vue | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/client/src/components/Form/FormElement.vue b/client/src/components/Form/FormElement.vue index 17314b77cbcc..34baae64c846 100644 --- a/client/src/components/Form/FormElement.vue +++ b/client/src/components/Form/FormElement.vue @@ -3,9 +3,12 @@ import { library } from "@fortawesome/fontawesome-svg-core"; import { faCaretSquareDown, faCaretSquareUp } from "@fortawesome/free-regular-svg-icons"; import { faArrowsAltH, faExclamation, faTimes } from "@fortawesome/free-solid-svg-icons"; import { FontAwesomeIcon } from "@fortawesome/vue-fontawesome"; +import { sanitize } from "dompurify"; import type { ComputedRef } from "vue"; import { computed, ref, useAttrs } from "vue"; +import { linkify } from "@/utils/utils"; + import type { FormParameterAttributes, FormParameterTypes, FormParameterValue } from "./parameterTypes"; import FormBoolean from "./Elements/FormBoolean.vue"; @@ -181,7 +184,9 @@ const isOptional = computed(() => !isRequired.value && attrs.value["optional"] ! :class="{ alert: hasAlert, 'alert-info': hasAlert }">
- +