#9421 replace v-html with v-strip-unsave-html (#9702)

pkp · Feb 9, 2024 · fa3c7bf · fa3c7bf
1 parent 42de372
commit fa3c7bf
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/js/load.js b/js/load.js
@@ -19,6 +19,9 @@ import VueScrollTo from 'vue-scrollto';
 import dialog from '@/mixins/dialog.js';
 import localizeMoment from '@/mixins/localizeMoment.js';
 
+// Directives
+import {stripUnsafeHtml} from '@/directives/stripUnsafeHtml';
+
 // Global components of UI Library
 import Badge from '@/components/Badge/Badge.vue';
 import Dropdown from '@/components/Dropdown/Dropdown.vue';
@@ -101,7 +104,7 @@ Vue.use(VModal, {
 Vue.use(VTooltip, {defaultTrigger: 'click'});
 Vue.use(VueScrollTo);
 Vue.mixin(GlobalMixins);
-
+Vue.directive('strip-unsafe-html', stripUnsafeHtml);
 // Register global components
 Vue.component('Badge', Badge);
 Vue.component('PkpBadge', Badge);

diff --git a/templates/submission/review-editors.tpl b/templates/submission/review-editors.tpl
@@ -90,7 +90,7 @@
                     <div
                         v-if="submission.commentsForTheEditors"
                         class="submissionWizard__reviewPanel__item__value"
-                        v-html="submission.commentsForTheEditors"
+                        v-strip-unsafe-html="submission.commentsForTheEditors"
                     ></div>
                     <div v-else class="submissionWizard__reviewPanel__item__value">
                         {translate key="common.none"}

diff --git a/templates/submission/review-publication-field.tpl b/templates/submission/review-publication-field.tpl
@@ -36,7 +36,7 @@
     <div
         class="submissionWizard__reviewPanel__item__value"
         {if $type === 'html'}
-            v-html="publication.{$localizedProp|escape}
+            v-strip-unsafe-html="publication.{$localizedProp|escape}
                 ? publication.{$localizedProp|escape}
                 : '{translate key="common.noneProvided"}'"
         {/if}
@@ -54,7 +54,7 @@
                 {translate key="common.noneProvided"}
             </template>
         {elseif $type === 'html'}
-            {* empty. see v-html above *}
+            {* empty. see v-strip-unsafe-html above *}
         {else}
             <template v-if="publication.{$localizedProp|escape}">
                 {{ publication.{$localizedProp|escape} }}

diff --git a/templates/submission/wizard.tpl b/templates/submission/wizard.tpl
@@ -19,7 +19,7 @@
             </template>
             <template v-if="localize(publication.title)">
                 <span class="app__breadcrumbsSeparator" aria-hidden="true">/</span>
-                <span v-html="localize(publication.title)">
+                <span v-strip-unsafe-html="localize(publication.title)">
             </template>
         </div>
         <h1 class="app__pageHeading" ref="pageTitle">
@@ -74,7 +74,7 @@
                     <panel-section v-for="section in step.sections" :key="section.id">
                         <template slot="header">
                             <h2>{{ section.name }}</h2>
-                            <div v-html="section.description" />
+                            <div v-strip-unsafe-html="section.description" />
                         </template>
                         <pkp-form
                             v-if="section.type === 'form'"

diff --git a/templates/workflow/submissionIdentification.tpl b/templates/workflow/submissionIdentification.tpl
@@ -26,6 +26,6 @@
 
 <span 
 	class="pkpWorkflow__identificationTitle" 
-	v-html="localizeSubmission(currentPublication.fullTitle, currentPublication.locale)"
+	v-strip-unsafe-html="localizeSubmission(currentPublication.fullTitle, currentPublication.locale)"
 >
 </span>