fix(security): xss via v-html with user-controlled content

The Footer.vue component renders openSettings.copyright using v-html without sanitization. If an attacker can control the copyright setting (e.g., via admin panel or database), they can inject malicious JavaScript that executes in all users' browsers. Affected files: Footer.vue Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
2026-06-03 21:02:16 +08:00 · 2026-05-17 06:12:13 +07:00 · 2026-05-17 06:12:13 +07:00 · 200759c9e8
commit 200759c9e8
parent add0124cfd
1 changed files with 2 additions and 1 deletions
--- a/frontend/src/views/Footer.vue
+++ b/frontend/src/views/Footer.vue
@ -1,6 +1,7 @@
 <script setup>
 import { useScopedI18n } from '@/i18n/app'
 import { useGlobalState } from '../store'
+import DOMPurify from 'dompurify'
 const { openSettings } = useGlobalState()


@ -17,7 +18,7 @@ const { t } = useScopedI18n('views.Footer')
                    {{ t('copyright') }} © 2023-{{ new Date().getFullYear() }}
                </n-text>
                <n-text depth="3">
-                    <div v-html="openSettings.copyright"></div>
+                    <div v-html="DOMPurify.sanitize(openSettings.copyright)"></div>
                </n-text>
            </n-space>
        </div>