Move `v-safe-html` from gitlab-ui to gitlab project
Context
We built v-safe-html
directive to prevent against XSS attacks, as a secure alternative to v-html
. We migrated many projects across GitLab to end the <code data-sourcepos="3:251-3:256">v-html</code> usages.
Over the period of time, v-safe-html
has evolved to add additional protections to prevent various vulnerabilities in gitlab-org/gitlab
project.
Proposal
This is a proposal to fork the directive to gitlab-org/gitlab
project. This should help us
- Rollout changes confidently with the help of feature flags, which is specific to gitlab project. Related discussions at gitlab-ui!2943 (comment 1040842692).
- Reuse configuration across
DOMPurify
&v-safe-html
- Maintain & rollout configuration changes with a single MR
- Support security release workflow
FAQs
- What happens to
v-safe-html
directive in gitlab-ui?
We should keep maintaining it in the gitlab-ui repo as well, as it's used by other projects. Note that the directive did not receive any major bugs or feature implementation in last two years, so we should be good.
- Why this issue is marked confidential?
Just being cautious in case we want to discuss open issue like https://gitlab.com/gitlab-org/gitlab/-/issues/363725.
Implementation Plan
To be added here