Merge pull request #1394 from bartbutenaers/sanetize-html

Sanitize HTML Injections

ui/src/widgets/ui-button/UIButton.vue

@@ -19,6 +19,8 @@
 </template>
 
 <script>
+
+import DOMPurify from 'dompurify'
 import { mapState } from 'vuex' // eslint-disable-line import/order
 
 export default {
@@ -47,7 +49,8 @@ export default {
             return icon && this.iconPosition === 'right' ? mdiIcon : undefined
         },
         label () {
-            return this.getProperty('label')
+            // Sanetize the html to avoid XSS attacks
+            return DOMPurify.sanitize(this.getProperty('label'))
         },
         iconPosition () {
             return this.getProperty('iconPosition')

ui/src/widgets/ui-notification/UINotification.vue

@@ -34,6 +34,7 @@
 </template>
 
 <script>
+import DOMPurify from 'dompurify'
 import { mapState } from 'vuex'
 
 export default {
@@ -60,7 +61,9 @@ export default {
         ...mapState('data', ['messages']),
         value: function () {
             // Get the value (i.e. the notification text content) from the last input msg
-            return this.messages[this.id]?.payload
+            const value = this.messages[this.id]?.payload
+            // Sanetize the html to avoid XSS attacks
+            return DOMPurify.sanitize(value)
         },
         allowConfirm () {
             return this.getProperty('allowConfirm')

ui/src/widgets/ui-text/UIText.vue

@@ -24,7 +24,8 @@ export default {
         value: function () {
             const m = this.messages[this.id] || {}
             if (Object.prototype.hasOwnProperty.call(m, 'payload')) {
-                return m.payload
+                // Sanetize the html to avoid XSS attacks
+                return DOMPurify.sanitize(m.payload)
             }
             return ''
         },