[spike] Investigate options to mitigate v-html vulnerability

[jeffsmohan]

Why is this issue important?

We currently display grant description text on the site using v-html, which inserts the contents as raw html. This can open us up to XSS attacks unless we properly sanitize the text first. Level of concern is not super high, since we should be able to trust the source of the data, but it's still well worth fixing the security hole.

Current State

We use v-html in a the legacy and new grant details modal/page to display the details.

The description text we get from our data sources is not especially consistent/clean, so it sometimes contains HTML entities (e.g., &) or tags (e.g., <p> or <br>) that are useful in displaying the data properly. However, they can't be counted on and are sometimes double-encoded (e.g., • for a bullet).

Expected State

We should find a better way to display the content with good readability and without any security vulnerability.

Implementation Plan

This ticket is a spike to investigate possible approaches. An initial non-exhaustive set of ideas to explore based on my conversation with @TylerHendrickson:

• Use a library to sanitize the description text (either allow-list or strip out any HTML) and then continue to use v-html on this "safe" content
• Convert the description text to something like markdown in the data pipeline, then render that on the page
• Integrate with an LLM to help translate the messy description text input into a well-formatted output

Relevant Code Snippets

No response

[jeffsmohan]

Note that an analogous vulnerability exists in our email rendering where we render un-escaped grant description text: https://github.com/usdigitalresponse/usdr-gost/blob/9e903c3923a01bff87cc7d49a0f69236a1ff57a0/packages/server/src/static/email_templates/_grant_detail.html#L34