From 0f312a88bb8ddfd839eb6286a20ceefe493350d2 Mon Sep 17 00:00:00 2001 From: Jamie V Date: Thu, 2 Feb 2023 18:16:45 -0800 Subject: [PATCH] [Notebook] Sanitize entries before save for extra protection (#6255) * Sanitizing before save as well to be be doubly safe --------- Co-authored-by: Andrew Henry --- src/plugins/notebook/components/NotebookEntry.vue | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/plugins/notebook/components/NotebookEntry.vue b/src/plugins/notebook/components/NotebookEntry.vue index 11015c0054..20e4f8784e 100644 --- a/src/plugins/notebook/components/NotebookEntry.vue +++ b/src/plugins/notebook/components/NotebookEntry.vue @@ -77,13 +77,13 @@ aria-label="Notebook Entry Input" tabindex="0" :contenteditable="canEdit" + v-bind.prop="formattedText" @mouseover="checkEditability($event)" @mouseleave="canEdit = true" @focus="editingEntry()" @blur="updateEntryValue($event)" @keydown.enter.exact.prevent @keyup.enter.exact.prevent="forceBlur($event)" - v-html="formattedText" > @@ -250,7 +250,7 @@ export default { let text = sanitizeHtml(this.entry.text, SANITIZATION_SCHEMA); if (this.editMode || !this.urlWhitelist) { - return text; + return { innerText: text }; } text = text.replace(URL_REGEX, (match) => { @@ -268,7 +268,7 @@ export default { return result; }); - return text; + return { innerHTML: text }; }, isSelectedEntry() { return this.selectedEntryId === this.entry.id; @@ -456,7 +456,7 @@ export default { this.editMode = false; const value = $event.target.innerText; if (value !== this.entry.text && value.match(/\S/)) { - this.entry.text = value; + this.entry.text = sanitizeHtml(value, SANITIZATION_SCHEMA); this.timestampAndUpdate(); } else { this.$emit('cancelEdit');