chore(frontend): fix ESLint, add Pint+ESLint pre-commit hook, centralize v-html

Fix the broken ESLint setup: add vue-eslint-parser and @typescript-eslint/parser
and wire the TS parser into eslint.config.mjs so .ts and <script lang=ts> parse
(was failing outright). Clear the resulting backlog to a clean 0/0 baseline —
fix genuine issues, relax two intentional-pattern rules (multi-word-component-names,
no-required-prop-with-default).

Add a committed .githooks/pre-commit (enabled via core.hooksPath, auto-set by the
prepare script) that runs Pint on staged PHP and ESLint --max-warnings 0 on staged
resources/scripts JS/TS/Vue, blocking on failure. Add composer/npm lint scripts and
document the gate in CLAUDE.md.

Replace every scattered v-html with a single audited BaseSanitizedHtml component
that DOMPurify-sanitizes its input (new utils/markdown.ts sanitizeHtml), so
server/registry-provided HTML is actually sanitized and vue/no-v-html stays enabled
everywhere but one reviewed sink.
This commit is contained in:
Darko Gjorgjijoski
2026-06-11 11:00:25 +02:00
committed by Darko Gjorgjijoski
parent 1e8b113cc9
commit f3ab0f22fc
31 changed files with 155 additions and 47 deletions

View File

@@ -40,3 +40,19 @@ export function renderMarkdown(source: string): string {
return DOMPurify.sanitize(rawHtml)
}
/**
* Sanitize a raw HTML string with DOMPurify's default browser profile
* (strips <script>, event handlers, javascript: URLs, and every other HTML
* vector). Use this for HTML that originates from the server, a third-party
* module registry, or the update server before binding it via v-html — the
* `BaseSanitizedHtml` component wraps this so feature code never touches
* v-html directly.
*/
export function sanitizeHtml(html: string | null | undefined): string {
if (!html) {
return ''
}
return DOMPurify.sanitize(html)
}