fix(#1999): sanitize text for ListBox items using DOMPurify

Author: majornista

packages/dev/docs/package.json

@@ -25,6 +25,7 @@
     "@spectrum-icons/workflow": "^4.0.0",
     "algoliasearch": "^4.14.1",
     "clsx": "^1.1.1",
+    "dompurify": "^2.3.10",
     "globals-docs": "^2.4.1",
     "highlight.js": "^11.6.0",
     "markdown-to-jsx": "^6.11.0",

packages/dev/docs/src/client.js

@@ -13,6 +13,7 @@
 import {ActionButton, defaultTheme, Provider, Text} from '@adobe/react-spectrum';
 import algoliasearch from 'algoliasearch/lite';
 import docsStyle from './docs.css';
+import DOMPurify from 'dompurify';
 import {Item, SearchAutocomplete, Section} from '@react-spectrum/autocomplete';
 import {listen} from 'quicklink';
 import React, {useEffect, useRef, useState} from 'react';
@@ -219,11 +220,11 @@ function DocSearch() {
       }
       section.items.push(
         <Item key={objectID} textValue={textValue.join(' | ')}>
-          <Text><span dangerouslySetInnerHTML={{__html: text.join(' | ')}} /></Text>
+          <Text><span dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(text.join(' | '))}} /></Text>
           {
             prediction.content &&
             <Text slot="description">
-              <span dangerouslySetInnerHTML={{__html: prediction._snippetResult.content.value}} />
+              <span dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(prediction._snippetResult.content.value)}} />
             </Text>
           }
         </Item>

yarn.lock

@@ -9616,6 +9616,11 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.8.tgz#224fe9ae57d7ebd9a1ae1ac18c1c1ca3f532226f"
   integrity sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw==
 
+dompurify@^2.3.10:
+  version "2.3.10"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.10.tgz#901f7390ffe16a91a5a556b94043314cd4850385"
+  integrity sha512-o7Fg/AgC7p/XpKjf/+RC3Ok6k4St5F7Q6q6+Nnm3p2zGWioAY6dh0CbbuwOhH2UcSzKsdniE/YnE2/92JcsA+g==
+
 [email protected]:
   version "1.5.1"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf"