fix: LEAP-444: Implement HTML sanitization in LSF

[juliosgarbi]

PR fulfills these requirements

• Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
• Tests for the changes have been added/updated (for bug fixes/features)
• Docs have been added/updated (for bug fixes/features)
• Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
• Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Change has impacts in these area(s)

(check all that apply)

• Product design
• Frontend

Describe the reason for change

The primary goal of this PR is to enhance the security and integrity of the Label Studio Frontend (LSF) by introducing HTML sanitization across all components. This effort is in response to the need for a secure environment that effectively neutralizes potential security threats in HTML inputs while maintaining essential functionalities and user experience.

What does this fix?

This PR specifically addresses the issue of Cross-Site Scripting (XSS) vulnerabilities in the Label Studio Frontend by implementing proper HTML sanitization in all components that use dangerouslySetInnerHTML. The changes ensure that any HTML content rendered through dangerouslySetInnerHTML is thoroughly sanitized, thereby preventing the execution of malicious scripts or XSS attacks. This enhancement significantly strengthens the security of the application, safeguarding it against common web vulnerabilities associated with improper handling of HTML content.

What libraries were added/updated?

none

Does this change affect performance?

no

Does this change affect security?

Yes. This PR significantly enhances security by implementing HTML sanitization in components using dangerouslySetInnerHTML. It mitigates Cross-Site Scripting (XSS) risks by neutralizing malicious scripts in HTML content, ensuring safer handling of HTML in the application. This proactive approach not only prevents XSS attacks but also sets a higher standard for future security practices in the Label Studio Frontend.

What alternative approaches were there?

no

What feature flags were used to cover this change?

fflag_fix_front_leap_444_html_sanitization_lsf_components

Does this PR introduce a breaking change?

(check only one)

• Yes, and covered entirely by feature flag(s)
• Yes, and covered partially by feature flag(s)
• No
• Not sure (briefly explain the situation below)

What level of testing was included in the change?

(check all that apply)

• e2e
• integration
• unit

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (84069d9) 68.28% compared to head (7839c93) 68.30%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1651      +/-   ##
==========================================
+ Coverage   68.28%   68.30%   +0.01%     
==========================================
  Files         443      443              
  Lines       28690    28693       +3     
  Branches     7630     7630              
==========================================
+ Hits        19592    19598       +6     
+ Misses       7846     7844       -2     
+ Partials     1252     1251       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[juliosgarbi]

/git merge master

Workflow run
Successfully pushed new changes:
Merge remote-tracking branch 'origin/master' into fb-leap-444 (829b5fb)

[juliosgarbi]

/git merge master

Workflow run
Successfully pushed new changes:
Merge remote-tracking branch 'origin/master' into fb-leap-444 (3e1c438)