CB-4743 adds html sanitizer (#2420)

* CB-4743 adds html sanitizer

* CB-4743 adds license to sanitizeHtml

* CB-4743 do not use sanitize to purify the json line data

* CB-4743 fix: toSafeHtmlString test correct cases

---------

Co-authored-by: s.teleshev <[email protected]>
Co-authored-by: mr-anton-t <[email protected]>

webapp/packages/core-utils/src/index.ts

@@ -77,3 +77,4 @@ export * from './removeLineBreak';
 export * from './replaceSubstring';
 export * from './formatNumber';
 export * from './withTimestamp';
+export * from './toSafeHtmlString';

webapp/packages/core-utils/src/toSafeHtmlString.test.tsx

@@ -0,0 +1,28 @@
+/*
+ * CloudBeaver - Cloud Database Manager
+ * Copyright (C) 2020-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0.
+ * you may not use this file except in compliance with the License.
+ */
+import { toSafeHtmlString } from './toSafeHtmlString';
+
+describe('toSafeHtmlString', () => {
+  it('should make html string safe', () => {
+    const input = '<script>alert("some unsafe action")</script>';
+    const output = toSafeHtmlString(input);
+    expect(output).toBe('&lt;script&gt;alert("some unsafe action")&lt;/script&gt;');
+  });
+
+  it('should return empty string', () => {
+    const input = '';
+    const output = toSafeHtmlString(input);
+    expect(output).toBe('');
+  });
+
+  it('should return the same string', () => {
+    const input = 'some safe string';
+    const output = toSafeHtmlString(input);
+    expect(output).toBe(input);
+  });
+});

webapp/packages/core-utils/src/toSafeHtmlString.ts

@@ -0,0 +1,14 @@
+/*
+ * CloudBeaver - Cloud Database Manager
+ * Copyright (C) 2020-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0.
+ * you may not use this file except in compliance with the License.
+ */
+export function toSafeHtmlString(dirty: string): string {
+  const el = document.createElement('div');
+  el.innerText = el.textContent = dirty;
+  dirty = el.innerHTML;
+
+  return dirty;
+}