chore(frontend): fix ESLint, add Pint+ESLint pre-commit hook, centralize v-html

Fix the broken ESLint setup: add vue-eslint-parser and @typescript-eslint/parser
and wire the TS parser into eslint.config.mjs so .ts and <script lang=ts> parse
(was failing outright). Clear the resulting backlog to a clean 0/0 baseline —
fix genuine issues, relax two intentional-pattern rules (multi-word-component-names,
no-required-prop-with-default).

Add a committed .githooks/pre-commit (enabled via core.hooksPath, auto-set by the
prepare script) that runs Pint on staged PHP and ESLint --max-warnings 0 on staged
resources/scripts JS/TS/Vue, blocking on failure. Add composer/npm lint scripts and
document the gate in CLAUDE.md.

Replace every scattered v-html with a single audited BaseSanitizedHtml component
that DOMPurify-sanitizes its input (new utils/markdown.ts sanitizeHtml), so
server/registry-provided HTML is actually sanitized and vue/no-v-html stays enabled
everywhere but one reviewed sink.
This commit is contained in:
Darko Gjorgjijoski
2026-06-11 11:00:25 +02:00
committed by Darko Gjorgjijoski
parent 1e8b113cc9
commit f3ab0f22fc
31 changed files with 155 additions and 47 deletions

View File

@@ -411,7 +411,7 @@ function initGenerator(name: string): string {
:placeholder="$t('general.search')"
type="text"
icon="search"
@update:modelValue="() => debounceSearchCustomer()"
@update:model-value="() => debounceSearchCustomer()"
/>
<ul

View File

@@ -144,8 +144,8 @@ function deselectItem(index: number): void {
searchable
:options="searchItems"
object
@update:modelValue="(val: Item) => $emit('select', val)"
@searchChange="(val: string) => $emit('search', val)"
@update:model-value="(val: Item) => $emit('select', val)"
@search-change="(val: string) => $emit('search', val)"
>
<!-- Add Item Action -->
<template #action>

View File

@@ -27,7 +27,6 @@
name="tag"
:option="option.raw"
:handle-tag-remove="handleTagRemove"
:handleTagRemove="handleTagRemove"
:disabled="disabled"
>
<span
@@ -228,11 +227,11 @@
/>
<template v-else>
<input
v-for="(value, index) in nativeValues"
v-for="(nativeValue, index) in nativeValues"
:key="index"
type="hidden"
:name="`${name}[]`"
:value="value"
:value="nativeValue"
/>
</template>
</template>

View File

@@ -0,0 +1,25 @@
<script setup lang="ts">
import { computed } from 'vue'
import { sanitizeHtml } from '@/scripts/utils/markdown'
const props = withDefaults(
defineProps<{
/** Raw HTML to render. Always DOMPurify-sanitized before it is bound. */
html?: string | null
}>(),
{ html: '' }
)
const clean = computed(() => sanitizeHtml(props.html))
</script>
<template>
<!--
The single, audited v-html sink in the app. `clean` is DOMPurify-sanitized
above, so any HTML (server-, registry-, or update-server-provided) rendered
through this component is safe. Do NOT use v-html anywhere else route it
here instead. This is the only place vue/no-v-html is disabled.
-->
<!-- eslint-disable-next-line vue/no-v-html -->
<div v-html="clean" />
</template>

View File

@@ -77,7 +77,7 @@ defineProps<Props>()
{{ $t('invoices.notes') }}
</dt>
<dd class="mt-1 text-sm text-heading sm:mt-0 sm:col-span-2">
<span v-html="invoice.formatted_notes"></span>
<BaseSanitizedHtml :html="invoice.formatted_notes" />
</dd>
</div>
</dl>