mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-19 07:15:20 +00:00
chore(frontend): fix ESLint, add Pint+ESLint pre-commit hook, centralize v-html
Fix the broken ESLint setup: add vue-eslint-parser and @typescript-eslint/parser and wire the TS parser into eslint.config.mjs so .ts and <script lang=ts> parse (was failing outright). Clear the resulting backlog to a clean 0/0 baseline — fix genuine issues, relax two intentional-pattern rules (multi-word-component-names, no-required-prop-with-default). Add a committed .githooks/pre-commit (enabled via core.hooksPath, auto-set by the prepare script) that runs Pint on staged PHP and ESLint --max-warnings 0 on staged resources/scripts JS/TS/Vue, blocking on failure. Add composer/npm lint scripts and document the gate in CLAUDE.md. Replace every scattered v-html with a single audited BaseSanitizedHtml component that DOMPurify-sanitizes its input (new utils/markdown.ts sanitizeHtml), so server/registry-provided HTML is actually sanitized and vue/no-v-html stays enabled everywhere but one reviewed sink.
This commit is contained in:
committed by
Darko Gjorgjijoski
parent
1e8b113cc9
commit
f3ab0f22fc
@@ -411,7 +411,7 @@ function initGenerator(name: string): string {
|
||||
:placeholder="$t('general.search')"
|
||||
type="text"
|
||||
icon="search"
|
||||
@update:modelValue="() => debounceSearchCustomer()"
|
||||
@update:model-value="() => debounceSearchCustomer()"
|
||||
/>
|
||||
|
||||
<ul
|
||||
|
||||
@@ -144,8 +144,8 @@ function deselectItem(index: number): void {
|
||||
searchable
|
||||
:options="searchItems"
|
||||
object
|
||||
@update:modelValue="(val: Item) => $emit('select', val)"
|
||||
@searchChange="(val: string) => $emit('search', val)"
|
||||
@update:model-value="(val: Item) => $emit('select', val)"
|
||||
@search-change="(val: string) => $emit('search', val)"
|
||||
>
|
||||
<!-- Add Item Action -->
|
||||
<template #action>
|
||||
|
||||
@@ -27,7 +27,6 @@
|
||||
name="tag"
|
||||
:option="option.raw"
|
||||
:handle-tag-remove="handleTagRemove"
|
||||
:handleTagRemove="handleTagRemove"
|
||||
:disabled="disabled"
|
||||
>
|
||||
<span
|
||||
@@ -228,11 +227,11 @@
|
||||
/>
|
||||
<template v-else>
|
||||
<input
|
||||
v-for="(value, index) in nativeValues"
|
||||
v-for="(nativeValue, index) in nativeValues"
|
||||
:key="index"
|
||||
type="hidden"
|
||||
:name="`${name}[]`"
|
||||
:value="value"
|
||||
:value="nativeValue"
|
||||
/>
|
||||
</template>
|
||||
</template>
|
||||
|
||||
25
resources/scripts/components/base/BaseSanitizedHtml.vue
Normal file
25
resources/scripts/components/base/BaseSanitizedHtml.vue
Normal file
@@ -0,0 +1,25 @@
|
||||
<script setup lang="ts">
|
||||
import { computed } from 'vue'
|
||||
import { sanitizeHtml } from '@/scripts/utils/markdown'
|
||||
|
||||
const props = withDefaults(
|
||||
defineProps<{
|
||||
/** Raw HTML to render. Always DOMPurify-sanitized before it is bound. */
|
||||
html?: string | null
|
||||
}>(),
|
||||
{ html: '' }
|
||||
)
|
||||
|
||||
const clean = computed(() => sanitizeHtml(props.html))
|
||||
</script>
|
||||
|
||||
<template>
|
||||
<!--
|
||||
The single, audited v-html sink in the app. `clean` is DOMPurify-sanitized
|
||||
above, so any HTML (server-, registry-, or update-server-provided) rendered
|
||||
through this component is safe. Do NOT use v-html anywhere else — route it
|
||||
here instead. This is the only place vue/no-v-html is disabled.
|
||||
-->
|
||||
<!-- eslint-disable-next-line vue/no-v-html -->
|
||||
<div v-html="clean" />
|
||||
</template>
|
||||
@@ -77,7 +77,7 @@ defineProps<Props>()
|
||||
{{ $t('invoices.notes') }}
|
||||
</dt>
|
||||
<dd class="mt-1 text-sm text-heading sm:mt-0 sm:col-span-2">
|
||||
<span v-html="invoice.formatted_notes"></span>
|
||||
<BaseSanitizedHtml :html="invoice.formatted_notes" />
|
||||
</dd>
|
||||
</div>
|
||||
</dl>
|
||||
|
||||
Reference in New Issue
Block a user