I am trying to build a React.js SharePoint modern web part, which have the following capabilities:-
1) Inside the Web Part settings page >> there are 2 fields named as "Who We Are" & "Our Value" which allow the user to enter HTML.
2) The web part will render 2 buttons "Who We Are" & "Our Value" >> and when the user clicks on any button >> a Popup will be shown with the entered HTML code in step-1
Something as follow:-
But to be able to render HTML code as Rich-Text inside my Web Part, i have to use the dangerouslySetInnerHTML attribute inside the .tsx file. as follow:-
code inside the attached file149744-code.txt
And to secure the dangerouslySetInnerHTML, i did the following steps:-
1- Inside my Node.Js CMD >> i run this command inside my project directory:-
npm install dompurify eslint-plugin-risxss
2- Then inside my above .tsx i made the following modifications:-
I added this import `import { sanitize } from 'dompurify';`
An I replaced this unsafe code `<p dangerouslySetInnerHTML={<!-- -->{__html:myprops.OurValue}}></p>` with this `<div dangerouslySetInnerHTML={<!-- -->{ __html: sanitize(myprops.OurValue) }} />`
So I have the following question:-
Now my approach (of using sanitize(myprops.OurValue)
will/should securely render HTML as Rich-Text inside the popup since i am using the sanitize function which is part of the dompurify eslint-plugin-risxss. but i read another approach which mentioned that to securely render HTML as Rich-Text inside the popup, we can use the html-react-parser package as follow {parse(myprops.OurValue)}
. So what are the differences between using 'html-react-parser' & using 'dompurify eslint-plugin-risxss' to securely render an HTML code as Rich-Text inside the React web part's popup?