Merge pull request #878 from blesildaramirez/i9717

blesildaramirez · web-flow · commit 5f049fe0af1e · 2025-02-20T21:01:46.000-05:00
pkp/pkp-lib#9717 Resolve template injection risks in Smarty/Vue interactions
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -55,6 +55,7 @@
     "cypress-file-upload": "^5.0.8",
     "cypress-iframe": "^1.0.1",
     "cypress-wait-until": "^2.0.1",
+    "dompurify": "^3.2.4",
     "eslint": "^8.48.0",
     "eslint-plugin-vue": "^9.17.0",
     "google-closure-compiler-java": "^20200719.0.0",
diff --git a/plugins/importexport/native/templates/index.tpl b/plugins/importexport/native/templates/index.tpl
@@ -84,7 +84,7 @@
 								/>
 								<span
                                     class="listPanel__itemSubTitle"
-                                    v-html="localize(
+                                    v-strip-unsafe-html="localize(
 										item.publications.find(p => p.id == item.currentPublicationId).fullTitle,
 										item.publications.find(p => p.id == item.currentPublicationId).locale
 									)"
diff --git a/templates/submission/review-relation.tpl b/templates/submission/review-relation.tpl
@@ -29,7 +29,7 @@
         <div class="submissionWizard__reviewPanel__item">
             <template v-if="publication.relationStatus === {\APP\publication\Publication::PUBLICATION_RELATION_PUBLISHED}">
                 <template v-if="publication.vorDoi">
-                    <span v-html="replaceLocaleParams(i18nRelationWithLink, {ldelim}vorDoi: publication.vorDoi{rdelim})"></span>
+                    <span v-strip-unsafe-html="replaceLocaleParams(i18nRelationWithLink, {ldelim}vorDoi: publication.vorDoi{rdelim})"></span>
                 </template>
                 <template v-else>
                     {translate key="publication.relation.published"}
