Merge pull request #1844 from blesildaramirez/i9717

pkp/pkp-lib#9717 Resolve template injection risks in Smarty/Vue interactions

package.json

@@ -55,6 +55,7 @@
     "cypress-file-upload": "^5.0.8",
     "cypress-iframe": "^1.0.1",
     "cypress-wait-until": "^2.0.1",
+    "dompurify": "^3.2.4",
     "eslint": "^8.48.0",
     "eslint-plugin-vue": "^9.17.0",
     "google-closure-compiler-java": "^20200719.0.0",

plugins/importexport/native/templates/index.tpl

@@ -87,7 +87,7 @@
 								/>
 								<span
                                     class="listPanel__itemSubTitle"
-                                    v-html="localize(
+                                    v-strip-unsafe-html="localize(
                                         item.publications.find(p => p.id == item.currentPublicationId).fullTitle,
                                         item.publications.find(p => p.id == item.currentPublicationId).locale
                                     )"

plugins/importexport/onix30/templates/index.tpl

@@ -59,7 +59,7 @@
 											/>
 											<span 
                                                 class="listPanel__itemSubTitle"
-                                                v-html="localize(
+                                                v-strip-unsafe-html="localize(
                                                             item.publications.find(p => p.id == item.currentPublicationId).fullTitle,
                                                             item.publications.find(p => p.id == item.currentPublicationId).locale
                                                         )"

plugins/pubIds/urn/js/FieldTextUrn.js

@@ -27,7 +27,7 @@ pkp.registry.registerComponent('FieldTextUrn', {
 		'			<div' +
 		'				v-if="isPrimaryLocale && description"' +
 		'				class="pkpFormField__description"' +
-		'				v-html="description"' +
+		'				v-strip-unsafe-html="description"' +
 		'				:id="describedByDescriptionId"' +
 		'			/>' +
 		'			<div class="pkpFormField__control" :class="controlClasses">' +