Open jeffsmohan opened 8 months ago
Note that an analogous vulnerability exists in our email rendering where we render un-escaped grant description text: https://github.com/usdigitalresponse/usdr-gost/blob/9e903c3923a01bff87cc7d49a0f69236a1ff57a0/packages/server/src/static/email_templates/_grant_detail.html#L34
Why is this issue important?
We currently display grant description text on the site using
v-html
, which inserts the contents as raw html. This can open us up to XSS attacks unless we properly sanitize the text first. Level of concern is not super high, since we should be able to trust the source of the data, but it's still well worth fixing the security hole.Current State
We use
v-html
in a the legacy and new grant details modal/page to display the details.The description text we get from our data sources is not especially consistent/clean, so it sometimes contains HTML entities (e.g.,
&
) or tags (e.g.,<p>
or<br>
) that are useful in displaying the data properly. However, they can't be counted on and are sometimes double-encoded (e.g.,&#8226;
for a bullet).Expected State
We should find a better way to display the content with good readability and without any security vulnerability.
Implementation Plan
This ticket is a spike to investigate possible approaches. An initial non-exhaustive set of ideas to explore based on my conversation with @TylerHendrickson:
v-html
on this "safe" contentRelevant Code Snippets
No response