I want to integrate html in a input field in the admin panel. This input field is the description of car in which we want to use html tags. Since the input field will just be accessible for few personnel, is it really necessary to use DOMPurify sanitize? The description will be visible to all the site viewers though.
At first I was using Client side rendering in Astro, but later to increase the LCP(Largest Contentful Paint) I switched to SSR. Seems like we cant directly use DOMPurify in SSR. I want to remove it.
<div
class='mb-6 px-4'
dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(description),
}}
/>
While depending on your threat model you don't necessarily have to, I'd usually recommend sanitizing any user input, when it gets rendered as HTML. (Better safe than sorry.)
When thinking about security issues you'll want to consider the potential risk by estimating the harm vs. the likeliness of an exploit.
Regarding the harmfulness: XSS is generally one of the most dangerous security issues in webapps - especially when it's something that potentially affects alls users. Now, even if an exploit seems unlikely at first, just consider one of the following examples:
As I'm not too familiar with Astro, I unfortunately can't tell you how to best solve this with Astro and SSR, but if DOMPurify doesn't work, I'd imagine there are similar server side sanitizers to DOMPurify, even when using Astro with SSR.
An alternative to sanitzing the input during rendering (whether client side or server side) would be to sanitize the description on the server when it gets saved in the admin panel. That way you can assume it's safe for rendering later.