Skip to content

Commit fc92a05

Browse files
authored
security: v2 CVE-2024-22191 (#2382)
1 parent 51692a8 commit fc92a05

File tree

3 files changed

+8
-1
lines changed

3 files changed

+8
-1
lines changed

Diff for: app/javascript/js/controllers/fields/key_value_controller.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
/* eslint-disable max-len */
2+
import * as DOMPurify from 'dompurify'
23
import { Controller } from '@hotwired/stimulus'
34
import { castBoolean } from '../../helpers/cast_boolean'
45

@@ -80,7 +81,7 @@ export default class extends Controller {
8081
let index = 0
8182
this.fieldValue.forEach((row) => {
8283
const [key, value] = row
83-
result += this.interpolatedRow(key, value, index)
84+
result += this.interpolatedRow(DOMPurify.sanitize(key), DOMPurify.sanitize(value), index)
8485
index++
8586
})
8687
this.rowsTarget.innerHTML = result

Diff for: package.json

+1
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
"codemirror": "5.59.1",
3737
"core-js": "^3.21.0",
3838
"css-loader": "^6.7.0",
39+
"dompurify": "^3.0.8",
3940
"easymde": "^2.18.0",
4041
"el-transition": "^0.0.7",
4142
"esbuild": "^0.14.25",

Diff for: yarn.lock

+5
Original file line numberDiff line numberDiff line change
@@ -1298,6 +1298,11 @@ doctrine@^3.0.0:
12981298
dependencies:
12991299
esutils "^2.0.2"
13001300

1301+
dompurify@^3.0.8:
1302+
version "3.0.8"
1303+
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437"
1304+
integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ==
1305+
13011306
easymde@^2.18.0:
13021307
version "2.18.0"
13031308
resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"

0 commit comments

Comments
 (0)