Unverified Commit 4f5d8132 authored by mvdbeek's avatar mvdbeek
Browse files

Sanitize FormElement error messages 

v-html was introduced in https://github.com/galaxyproject/galaxy/commit/6682ca60fe64087a15d3e69c68a2054ca950d538
to show bold items. `FormElement` however is used so widely that it's
hard to keep track on whether or not user-modifiable fields are shown,
so better safe than sorry.
parent 96c9be32

client/src/components/Form/FormElement.vue

+6 −1
Original line number Diff line number Diff line
@@ -3,9 +3,12 @@ import { library } from "@fortawesome/fontawesome-svg-core"; 
import { faCaretSquareDown, faCaretSquareUp } from "@fortawesome/free-regular-svg-icons";

import { faArrowsAltH, faExclamation, faTimes } from "@fortawesome/free-solid-svg-icons";

import { FontAwesomeIcon } from "@fortawesome/vue-fontawesome";

import { sanitize } from "dompurify";

import type { ComputedRef } from "vue";

import { computed, ref, useAttrs } from "vue";



import { linkify } from "@/utils/utils";



import type { FormParameterAttributes, FormParameterTypes, FormParameterValue } from "./parameterTypes";



import FormBoolean from "./Elements/FormBoolean.vue";
@@ -181,7 +184,9 @@ const isOptional = computed(() => !isRequired.value && attrs.value["optional"] ! 
        :class="{ alert: hasAlert, 'alert-info': hasAlert }">

        <div v-if="hasAlert" class="ui-form-error">

            <FontAwesomeIcon class="mr-1" icon="fa-exclamation" />

            <span class="ui-form-error-text" v-html="props.error || props.warning" />

            <span

                class="ui-form-error-text"

                v-html="linkify(sanitize(props.error || props.warning, { USE_PROFILES: { html: true } }))" />

        </div>



        <div class="ui-form-title">