Installations
npm install @cmss-cli/vue-dompurify-htmlDeveloper Guide
Typescript
Yes
Module System
CommonJS
Node Version
14.21.3
NPM Version
6.14.18
Score
38.2
Supply Chain
69.3
Quality
73.2
Maintenance
50
Vulnerability
98.2
License
Releases
Contributors
Languages
TypeScript (94.37%)
JavaScript (4.29%)
Nix (1.34%)
Developer
LeSuisse
Download Statistics
Total Downloads
140
Last Day
1
Last Week
1
Last Month
9
Last Year
140
GitHub Statistics
296 Stars
3,189 Commits
23 Forks
6 Watching
3 Branches
6 Contributors
Maintainers
Package Meta Information
Latest Version
2.6.0
Package Id
@cmss-cli/vue-dompurify-html@2.6.0
Unpacked Size
12.77 kB
Size
4.32 kB
File Count
7
NPM Version
6.14.18
Node Version
14.21.3
Publised On
25 Jul 2024
Total Downloads
Cumulative downloads
Total Downloads
140
Last day
0%
1
Compared to previous day
Last week
-50%
1
Compared to previous week
Last month
-70%
9
Compared to previous month
Last year
0%
140
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
vue-dompurify-html
A "safe" replacement for the v-html directive. The HTML code is
sanitized with DOMPurify before being interpreted.
This is only a small wrapper around DOMPurify to ease its usage in a Vue app. You should take a look at the DOMPurify Security Goals & Threat Model to understand what are the limitations and possibilities.
If you are looking for a version compatible with Vue 3 checkout the main branch.
Installation
npm install vue-dompurify-html@vue-legacy
Usage
1import Vue from 'vue'
2import VueDOMPurifyHTML from 'vue-dompurify-html'
3
4Vue.use(VueDOMPurifyHTML)
5
6new Vue({
7 el: '#app',
8 data: {
9 rawHtml: '<span style="color: red">This should be red.</span>'
10 }
11})In your template:
1<div id="app"> 2 <div v-dompurify-html="rawHtml"></div> 3</div>
You can also define your DOMPurify configurations:
1import Vue from 'vue'
2import VueDOMPurifyHTML from 'vue-dompurify-html'
3
4Vue.use(VueDOMPurifyHTML, {
5 namedConfigurations: {
6 'svg': {
7 USE_PROFILES: { svg: true }
8 },
9 'mathml': {
10 USE_PROFILES: { mathMl: true }
11 },
12 }
13});
14
15new Vue({
16 el: '#app',
17 data: {
18 rawHtml: '<span style="color: red">This should be red.</span>',
19 svgContent: '<svg><rect height="50"></rect></svg>'
20 }
21})Your configuration keys can then be used as an argument of the directive:
1<div id="app"> 2 <div v-dompurify-html="rawHtml"></div> 3 <div v-dompurify-html:svg="svgContent"></div> 4</div>
Alternatively, you can define a default DOMPurify configuration:
1import Vue from 'vue'
2import VueDOMPurifyHTML from 'vue-dompurify-html'
3
4Vue.use(VueDOMPurifyHTML, {
5 default: {
6 USE_PROFILES: { html: false }
7 }
8});
9
10new Vue({
11 el: '#app',
12 data: {
13 rawHtml: '<span style="color: red">This should not be red.</span>'
14 }
15})The default DOMPurify configuration will be used:
1<div id="app"> 2 <div v-dompurify-html="rawHtml"></div> 3</div>
There is also the possibility to set-up DOMPurify hooks:
1import { createApp } from 'vue' 2import VueDOMPurifyHTML from 'vue-dompurify-html' 3 4const app = createApp({ 5 data: () => ({ 6 rawHtml: '<span style="color: red">This should be red.</span>' 7 }) 8}); 9app.use(VueDOMPurifyHTML, { 10 hooks: { 11 uponSanitizeElement: (currentNode) => { 12 // Do something with the node 13 } 14 } 15}); 16app.mount('#app');
Usage with Nuxt
Client side
The usage is similar than when directly using Vue.
Define a new Nuxt plugin to import and setup the directive to your liking:
1import Vue from 'vue'; 2import VueDOMPurifyHTML from 'vue-dompurify-html'; 3 4Vue.use(VueDOMPurifyHTML);
and then tell Nuxt to use it as client-side plugin in your Nuxt config:
1export default { 2 plugins: [{ src: '~/plugins/dompurify', mode: 'client' }] 3}
Server side
The usage is similar than when directly using Vue but you need to setup DOMPurify to work with Node.
Install this package, DOMPurify and JSDOM:
npm install vue-dompurify-html@vue-legacy dompurify jsdom
In your Nuxt config you will need to setup a "server-side" directive:
1export default { 2 render: { 3 bundleRenderer: { 4 directives: { 5 'dompurify-html': (el, dir) => { 6 const insertHook = buildVueDompurifyHTMLDirective( 7 {}, 8 () => { 9 const window = new JSDOM('').window; 10 return createDOMPurify(window); 11 } 12 ).inserted; 13 insertHook(el, dir); 14 el.data.domProps = { innerHTML: el.innerHTML }; 15 } 16 } 17 } 18 } 19}
Note that if you are not using injectScripts: false
in your Nuxt config you will also need to register a client-side plugin as described just before.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
all dependencies are pinned
Details
- Info: 5 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 3 out of 3 third-party GitHubAction dependencies pinned
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/Release.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/CI.yml:4
- Warn: no topLevel permission defined: .github/workflows/Release.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:4
- Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:5
- Info: found token with 'none' permissions: .github/workflows/codeql-analysis.yml:6
- Info: found token with 'none' permissions: .github/workflows/codeql-analysis.yml:7
- Info: no jobLevel write permissions found
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Warn: branch 'main' does not require approvers
- Warn: codeowners review is not required on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
Found 0/1 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7.2
/10
Last Scanned on 2024-12-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More