debian-mirror-gitlab/app/assets/javascripts/vue_shared/directives/safe_html.js

import { sanitize } from '~/lib/dompurify';

// Mitigate against future dompurify mXSS bypasses by
// avoiding additional serialize/parse round trip.
// See https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1782
// and https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/2127
// for more details.
const DEFAULT_CONFIG = {
  RETURN_DOM_FRAGMENT: true,
};

const transform = (el, binding) => {
  if (binding.oldValue !== binding.value) {
    const config = { ...DEFAULT_CONFIG, ...(binding.arg ?? {}) };

    el.textContent = '';

    el.appendChild(sanitize(binding.value, config));
  }
};

export default {
  bind: transform,
  update: transform,
};
New upstream version 15.5.4+ds1 2022-11-25 23:54:43 +05:30			`import { sanitize } from '~/lib/dompurify';`

			`// Mitigate against future dompurify mXSS bypasses by`
			`// avoiding additional serialize/parse round trip.`
			`// See https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1782`
			`// and https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/2127`
			`// for more details.`
			`const DEFAULT_CONFIG = {`
			`RETURN_DOM_FRAGMENT: true,`
			`};`

			`const transform = (el, binding) => {`
			`if (binding.oldValue !== binding.value) {`
			`const config = { ...DEFAULT_CONFIG, ...(binding.arg ?? {}) };`

			`el.textContent = '';`

			`el.appendChild(sanitize(binding.value, config));`
			`}`
			`};`

			`export default {`
			`bind: transform,`
			`update: transform,`
			`};`