Fix CVE-2025-62798: Sanitize HTML content to prevent XSS attacks (for sharp 8.0) by rycks · Pull Request #687 · code16/sharp

rycks · 2026-01-21T18:04:28Z

As i'm blocked by php 8.2 version on my server here is i hope a fix for the CVE-2025-62798:

Add symfony/html-sanitizer and dompurify dependencies
Create sanitize utility function using DOMPurify
Apply sanitization to all v-html usages:
- ShowPage title
- Text field content
- DataListRow HTML columns
- ActionView notifications and dialogs
- EmbedRenderer slots
- GlobalSearch results
- ListUpload text

- Add symfony/html-sanitizer and dompurify dependencies - Create sanitize utility function using DOMPurify - Apply sanitization to all v-html usages: - ShowPage title - Text field content - DataListRow HTML columns - ActionView notifications and dialogs - EmbedRenderer slots - GlobalSearch results - ListUpload text

aguingand · 2026-01-22T13:06:09Z

Thank you for this PR. I think sanitizing every v-html is not necessary. Could you sanitize only Show text field, DataListRow & show title ? Here is were we sanitize today : https://github.com/search?q=repo%3Acode16%2Fsharp+%28sanitize+OR+sanitizeVueTemplate%29+language%3AVue++OR+language%3ATypeScript+&type=code.

aguingand · 2026-01-22T13:06:56Z

resources/assets/js/util/sanitize.js

+ * @param {string|null} html - The HTML content to sanitize
+ * @returns {string|null} - The sanitized HTML content
+ */
+export function sanitize(html) {


We should use the same code than today here (

sharp/resources/js/utils/sanitize.ts

Lines 3 to 22 in d8d109b

DOMPurify.addHook('afterSanitizeAttributes', function (node) {

if (node.tagName === 'A' && !node.getAttribute('rel')?.includes('noopener')) {

node.setAttribute('rel', `${node.getAttribute('rel') ?? ''} noopener`.trim());

}

});

export function sanitize(html: string | null) {

return html

? DOMPurify.sanitize(html, {

ADD_TAGS: ['iframe'],

ADD_ATTR: ['target'],

CUSTOM_ELEMENT_HANDLING: {

tagNameCheck: () => true,

attributeNameCheck: (name) => {

return !name.match(/^(v-)|:|@|#/); // remove vue related attributes

},

},

})

: html;

}

)

aguingand · 2026-01-22T13:12:07Z

resources/assets/js/util/sanitize.js

+            attributeNameCheck: () => true,
+        }
+    });
+}


We should have the other function sanitizeForVue() here & use it in TemplateRenderer.vue

Here is how we do it today in Sharp 9 :

sharp/resources/js/utils/sanitize.ts

Lines 24 to 27 in d8d109b

// Separate function that sanitizes all rendered Vue template, '{{' & '}}' should always be escaped

export function sanitizeVueTemplate(template: string) {

return template.replaceAll('{{', '{{').replaceAll('}}', '}}');

}

sharp/resources/js/components/TemplateRenderer.vue

Lines 6 to 21 in d8d109b

import { sanitizeVueTemplate } from "@/utils/sanitize";

const props = defineProps<{

template: string,

components?: Record<string, Component>,

}>();

const component = computed(() => ({

components: {

'sharp-card': Card,

'sharp-card-content': CardContent,

'sharp-badge': Badge,

...props.components,

},

template: `<div data-sharp-template>${sanitizeVueTemplate(props.template ?? '')}</div>`,

}));

rycks changed the title ~~Fix CVE-2025-62798: Sanitize HTML content to prevent XSS attacks~~ Fix CVE-2025-62798: Sanitize HTML content to prevent XSS attacks (for sharp 8.0) Jan 21, 2026

aguingand requested changes Jan 22, 2026

View reviewed changes

aguingand mentioned this pull request Jan 22, 2026

Fix CVE-2025-61457: Sanitize SVG files on upload to prevent XSS attacks (for sharp 8.0) #688

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CVE-2025-62798: Sanitize HTML content to prevent XSS attacks (for sharp 8.0)#687

Fix CVE-2025-62798: Sanitize HTML content to prevent XSS attacks (for sharp 8.0)#687
rycks wants to merge 1 commit intocode16:8.0from
rycks:8.0-fix-cve-2025-62798

rycks commented Jan 21, 2026

Uh oh!

aguingand commented Jan 22, 2026

Uh oh!

aguingand Jan 22, 2026

Uh oh!

aguingand Jan 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	DOMPurify.addHook('afterSanitizeAttributes', function (node) {
	if (node.tagName === 'A' && !node.getAttribute('rel')?.includes('noopener')) {
	node.setAttribute('rel', `${node.getAttribute('rel') ?? ''} noopener`.trim());
	}
	});

	export function sanitize(html: string \| null) {
	return html
	? DOMPurify.sanitize(html, {
	ADD_TAGS: ['iframe'],
	ADD_ATTR: ['target'],
	CUSTOM_ELEMENT_HANDLING: {
	tagNameCheck: () => true,
	attributeNameCheck: (name) => {
	return !name.match(/^(v-)\|:\|@\|#/); // remove vue related attributes
	},
	},
	})
	: html;
	}

	// Separate function that sanitizes all rendered Vue template, '{{' & '}}' should always be escaped
	export function sanitizeVueTemplate(template: string) {
	return template.replaceAll('{{', '{{').replaceAll('}}', '}}');
	}

	import { sanitizeVueTemplate } from "@/utils/sanitize";

	const props = defineProps<{
	template: string,
	components?: Record<string, Component>,
	}>();

	const component = computed(() => ({
	components: {
	'sharp-card': Card,
	'sharp-card-content': CardContent,
	'sharp-badge': Badge,
	...props.components,
	},
	template: `<div data-sharp-template>${sanitizeVueTemplate(props.template ?? '')}</div>`,
	}));

Conversation

rycks commented Jan 21, 2026

Uh oh!

aguingand commented Jan 22, 2026

Uh oh!

aguingand Jan 22, 2026

Choose a reason for hiding this comment

Uh oh!

aguingand Jan 22, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants