feat: use dompurify to sanitize translations

Pin same version of `dompurify` used in Theia
2025-11-08 18:08:33 +00:00 · 2024-12-02 10:01:18 +01:00
parent 4788bfbc3f
commit 8e18c47d30
4 changed files with 22 additions and 11 deletions
--- a/arduino-ide-extension/package.json
+++ b/arduino-ide-extension/package.json
@@ -67,6 +67,7 @@
    "cross-fetch": "^3.1.5",
    "dateformat": "^3.0.3",
    "deepmerge": "^4.2.2",
+    "dompurify": "^2.4.7",
    "drivelist": "^9.2.4",
    "electron-updater": "^4.6.5",
    "fast-deep-equal": "^3.1.3",
--- a/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx
+++ b/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx
@@ -17,6 +17,7 @@ import {
 } from '../../../common/protocol/ide-updater';
 import { LocalStorageService } from '@theia/core/lib/browser';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
+import { sanitize } from 'dompurify';

@injectable()
 export class IDEUpdaterDialogProps extends DialogProps {}
@@ -173,9 +174,8 @@ export class IDEUpdaterDialog extends ReactDialog<UpdateInfo | undefined> {
    footer.appendChild(footerContent);

    const footerLink = document.createElement('a');
-    footerLink.innerText = nls.localize(
-      'arduino/ide-updater/donateLinkText',
-      'donate to support us'
+    footerLink.innerText = sanitize(
+      nls.localize('arduino/ide-updater/donateLinkText', 'donate to support us')
    );
    footerLink.classList.add('ide-updater-dialog--footer-link');
    footerLink.onclick = () =>
@@ -190,10 +190,12 @@ export class IDEUpdaterDialog extends ReactDialog<UpdateInfo | undefined> {
    footerLink.appendChild(footerLinkIcon);

    const placeholderKey = '%%link%%';
-    const footerText = nls.localize(
-      'arduino/ide-updater/donateText',
-      'Open source is love, {0}',
-      placeholderKey
+    const footerText = sanitize(
+      nls.localize(
+        'arduino/ide-updater/donateText',
+        'Open source is love, {0}',
+        placeholderKey
+      )
    );
    const placeholder = footerText.indexOf(placeholderKey);
    if (placeholder !== -1) {
--- a/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx
+++ b/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx
@@ -6,6 +6,7 @@ import { nls } from '@theia/core';
 import { DialogProps } from '@theia/core/lib/browser';
 import { WindowService } from '@theia/core/lib/browser/window/window-service';
 import { AppService } from '../app-service';
+import { sanitize } from 'dompurify';

@injectable()
 export class VersionWelcomeDialogProps extends DialogProps {}
@@ -87,10 +88,12 @@ export class VersionWelcomeDialog extends ReactDialog<void> {
    const { appVersion } = appInfo;

    if (appVersion) {
-      this.titleNode.innerHTML = nls.localize(
-        'arduino/versionWelcome/titleWithVersion',
-        'Welcome to the new Arduino IDE {0}!',
-        appVersion
+      this.titleNode.innerText = sanitize(
+        nls.localize(
+          'arduino/versionWelcome/titleWithVersion',
+          'Welcome to the new Arduino IDE {0}!',
+          appVersion
+        )
      );
    }
  }