Merge pull request #4669 from blesildaramirez/i9717

pkp/pkp-lib#9717 Resolve template injection risks in Smarty/Vue interactions

package.json

@@ -20,7 +20,7 @@
     "@tinymce/tinymce-vue": "^6.1.0",
     "@vue-a11y/announcer": "^3.1.5",
     "@vueuse/core": "^10.5.0",
-		"altcha": "^1.0.7",
+    "altcha": "^1.0.7",
     "chart.js": "^4.4.3",
     "clone-deep": "^4.0.1",
     "copyfiles": "^2.4.1",
@@ -55,6 +55,7 @@
     "cypress-file-upload": "^5.0.8",
     "cypress-iframe": "^1.0.1",
     "cypress-wait-until": "^2.0.1",
+    "dompurify": "^3.2.4",
     "eslint": "^8.48.0",
     "eslint-plugin-vue": "^9.17.0",
     "google-closure-compiler-java": "^20200719.0.0",

plugins/importexport/native/templates/index.tpl

@@ -85,7 +85,7 @@
 								/>
 								<span
 									class="listPanel__itemSubTitle"
-									v-html="localize(
+									v-strip-unsafe-html="localize(
 										item.publications.find(p => p.id == item.currentPublicationId).fullTitle,
 										item.publications.find(p => p.id == item.currentPublicationId).locale
 									)"

plugins/importexport/pubmed/templates/index.tpl

@@ -52,7 +52,7 @@
 									/>
 									<span 
 										class="listPanel__itemSubTitle" 
-										v-html="localize(
+										v-strip-unsafe-html="localize(
 											item.publications.find(p => p.id == item.currentPublicationId).fullTitle,
 											item.publications.find(p => p.id == item.currentPublicationId).locale
 										)"

plugins/pubIds/urn/js/FieldTextUrn.js

@@ -27,7 +27,7 @@ pkp.registry.registerComponent('FieldTextUrn', {
 		'			<div' +
 		'				v-if="isPrimaryLocale && description"' +
 		'				class="pkpFormField__description"' +
-		'				v-html="description"' +
+		'				v-strip-unsafe-html="description"' +
 		'				:id="describedByDescriptionId"' +
 		'			/>' +
 		'			<div class="pkpFormField__control" :class="controlClasses">' +