daichirata / vue-sanitize Goto Github PK

Due to the definition of the sanitize-html dependency as "^2.7.0", provoke that an update of this library to the version 2.8.0 two days ago (2022/12/12) broke the compilation of the source code of our application.
It seems that it was an error related with a third party library dependency, htmlparser2 with the version 8.0.0, the reason that provokes the error.
The error we're getting is the following:

⠼  Building for production as library (commonjs,umd,umd-min)...

 ERROR  Failed to compile with 1 error                                                                                                                   15:31:05

 error  in ./node_modules/htmlparser2/lib/esm/index.js

Module parse failed: Unexpected token (59:9)
You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
|     return getFeed(parseDOM(feed, options));
| }
> export * as DomUtils from "domutils";
| // Old name for DomHandler
| export { DomHandler as DefaultHandler };

 @ ./node_modules/sanitize-html/index.js 1:19-41
 @ ./node_modules/vue-sanitize/dist/vue-sanitize.js
 @ ./src/index.js
 @ ./node_modules/@vue/cli-service/lib/commands/build/entry-lib.js

This error doesn't happen with the previous version 2.7.3 of sanitize-html because the version of htmlparser2 library was 6.0.0, and with this version all seems to work fine.

A possible solution is to fix the version of sanitize-html, instead of using ^2.7.0 better use ~2.7.0.

Given the purpose of this package is to sanitize HTML before rendering in Vue (presumably to prevent XSS attacks), the example you have given isn't actually safe.

This is your example setup:

defaultOptions = {
    allowedTags: ['a', 'b'],
    allowedAttributes: {
      'a': [ 'href' ]
    }
};
Vue.use(VueSanitize, defaultOptions);

This would still allow an attacker to do the following: <a href="javascript:someDangerousScript()">Click here</a>.

You should probably add a note to your example - unless this package sanitizes the href tag to remove javascript?

Hey.

I'm using Vue 3 and I can neither use this.sanitize() in the script tags, nor $sanitize() in the template.

How to use in Nuxt?

html sanitize allows allowedStyles: apostrophecms/sanitize-html#158

Can this?

If try use vue-sanitize in html page:
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/vue-sanitize.min.js"></script>
script throw error - require not defined.