Remove v-html from NoteForm Component

This is a refactor for removing potentially dangerous v-html from the codebase. This switches to using secure alternative: GlSprintf and GlLink Thanks to @Toumash for their contributions

Remove v-html from NoteForm Component
This is a refactor for removing potentially dangerous v-html from the codebase. This switches to using secure alternative: GlSprintf and GlLink Thanks to @Toumash for their contributions
395e1724 · Dheeraj Joshi · a0d10fed · 395e1724 · 395e1724
Commit 395e1724 authored Oct 21, 2021 by Dheeraj Joshi
Showing with 17 additions and 15 deletions

app/assets/javascripts/notes/components/note_form.vue app/assets/javascripts/notes/components/note_form.vue +15 -15

spec/frontend/notes/components/note_form_spec.js spec/frontend/notes/components/note_form_spec.js +2 -0

No files found.
--- a/app/assets/javascripts/notes/components/note_form.vue
+++ b/app/assets/javascripts/notes/components/note_form.vue
 <script>
-import { GlButton } from '@gitlab/ui';
+import { GlButton, GlSprintf, GlLink } from '@gitlab/ui';
 import { mapGetters, mapActions, mapState } from 'vuex';
 import { getDraft, updateDraft } from '~/lib/utils/autosave';
 import { mergeUrlParams } from '~/lib/utils/url_utility';
-import { __, sprintf } from '~/locale';
+import { __ } from '~/locale';
 import markdownField from '~/vue_shared/components/markdown/field.vue';
 import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import eventHub from '../event_hub';
@@ -17,6 +17,8 @@ export default {
    markdownField,
    CommentFieldLayout,
    GlButton,
+    GlSprintf,
+    GlLink,
  },
  mixins: [glFeatureFlagsMixin(), issuableStateMixin, resolvable],
  props: {
@@ -203,16 +205,12 @@ export default {
      );
    },
    changedCommentText() {
-      return sprintf(
+      return {
-        __(
+        text: __(
          'This comment changed after you started editing it. Review the %{startTag}updated comment%{endTag} to ensure information is not lost.',
        ),
-        {
+        placeholder: { link: ['startTag', 'endTag'] },
-          startTag: `<a href="${this.noteHash}" target="_blank" rel="noopener noreferrer">`,
+      };
-          endTag: '</a>',
-        },
-        false,
-      );
    },
  },
  watch: {
@@ -318,11 +316,13 @@ export default {
 <template>
  <div ref="editNoteForm" class="note-edit-form current-note-edit-form js-discussion-note-form">
-    <div
+    <div v-if="conflictWhileEditing" class="js-conflict-edit-warning alert alert-danger">
-      v-if="conflictWhileEditing"
+      <gl-sprintf :message="changedCommentText.text" :placeholders="changedCommentText.placeholder">
-      class="js-conflict-edit-warning alert alert-danger"
+        <template #link="{ content }">
-      v-html="changedCommentText /* eslint-disable-line vue/no-v-html */"
+          <gl-link :href="noteHash" target="_blank">{{ content }}</gl-link>
-    ></div>
+        </template>
+      </gl-sprintf>
+    </div>
    <div class="flash-container timeline-content"></div>
    <form :data-line-code="lineCode" class="edit-note common-note-form js-quick-submit gfm-form">
      <comment-field-layout

--- a/spec/frontend/notes/components/note_form_spec.js
+++ b/spec/frontend/notes/components/note_form_spec.js
+import { GlLink } from '@gitlab/ui';
 import { mount } from '@vue/test-utils';
 import { nextTick } from 'vue';
 import batchComments from '~/batch_comments/stores/modules/batch_comments';
@@ -91,6 +92,7 @@ describe('issue_note_form component', () => {
      expect(conflictWarning.exists()).toBe(true);
      expect(conflictWarning.text().replace(/\s+/g, ' ').trim()).toBe(message);
+      expect(conflictWarning.find(GlLink).attributes('href')).toBe('#note_545');
    });
  });