#9717 Use v-strip-unsafe-html instead of v-html

pkp · Feb 16, 2025 · 334df67 · 334df67
1 parent ec02e2d
commit 334df67
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/templates/submission/review-publication-field.tpl b/templates/submission/review-publication-field.tpl
@@ -36,7 +36,7 @@
     <div
         class="submissionWizard__reviewPanel__item__value"
         {if $type === 'html'}
-            v-html="publication.{$localizedProp|escape}
+            v-strip-unsafe-html="publication.{$localizedProp|escape}
                 ? publication.{$localizedProp|escape}
                 : '{translate key="common.noneProvided"}'"
         {/if}
@@ -54,7 +54,7 @@
                 {translate key="common.noneProvided"}
             </template>
         {elseif $type === 'html'}
-            {* empty. see v-html above *}
+            {* empty. see v-strip-unsafe-html above *}
         {else}
             <template v-if="publication.{$localizedProp|escape}">
                 {{ publication.{$localizedProp|escape} }}

diff --git a/templates/submission/wizard.tpl b/templates/submission/wizard.tpl
@@ -22,7 +22,7 @@
             </template>
             <template v-if="localize(publication.title)">
                 <span class="app__breadcrumbsSeparator" aria-hidden="true">/</span>
-                <span v-html="localize(publication.title)">
+                <span v-strip-unsafe-html="localize(publication.title)">
             </template>
         </div>
         <h1 class="app__pageHeading" ref="pageTitle">
@@ -66,7 +66,7 @@
                     <panel-section v-for="section in step.sections" :key="section.id">
                         <template #header>
                             <h2>{{ section.name }}</h2>
-                            <div v-html="section.description" />
+                            <div v-strip-unsafe-html="section.description" />
                         </template>
                         <pkp-form
                             v-if="section.type === 'form'"

diff --git a/templates/workflow/submissionIdentification.tpl b/templates/workflow/submissionIdentification.tpl
@@ -26,6 +26,6 @@
 
 <span 
 	class="pkpWorkflow__identificationTitle" 
-	v-html="localizeSubmission(currentPublication.fullTitle, currentPublication.locale)"
+	v-strip-unsafe-html="localizeSubmission(currentPublication.fullTitle, currentPublication.locale)"
 >
 </span>