Centralize DOMPurify sanitizer

[Landon-Wivell]

Description

Implemented DOMPurify to sanitize HTML responses from response.js and success.js. Created sanitizer.js as a centralized, pre-configured instance of DOMPurify on the server. This also allows for implementation of sanitization elsewhere if needed in the future. These changes remediate a cross-site scripting vulnerability when users upload meter data.

Developed and implemented by:
Thomas Nigro - https://github.com/tnigro45
Landon Wivell - https://github.com/Landon-Wivell

Type of change

(Check the ones that apply by placing an "x" instead of the space in the [ ] so it becomes [x])

• Note merging this changes the database configuration.
• This change requires a documentation update

Checklist

(Note what you have done by placing an "x" instead of the space in the [ ] so it becomes [x]. It is hoped you do all of them.)

• I have followed the OED pull request ideas
• I have removed text in ( ) from the issue request
• You acknowledge that every person contributing to this work has signed the OED Contributing License Agreement and each author is listed in the Description section.

Limitations

N/A

[huss]

Thanks to @tnigro45 & @Landon-Wivell for this contribution. I've made a number of comments to address. I'm going to delay full testing until these are addressed. Please let me know if you need anything.

[huss]

Thanks to @Landon-Wivell & @tnigro45 for addressing the comments. Review found it addressed most comments. I updated a couple of comments and added a new one. I will be able to do full testing once the install issue is resolved. Please let me know if you need anything.

[huss]

The update to dompurify and jsdom is not reflected in the package-lock.json file. Since OED does not automatically update package-lock.json on install, it must be done as part of the changes. When I tried to do docker compose up with this version it failed due to this. This had been done for the previous addition in this PR. Thus, can you carefully update package-lock.json where it only does what is needed for the two updated packages (not a general npm install). Please let me know if you have questions or need help with this.

[huss]

@Landon-Wivell & @tnigro45 It has been a few weeks and I have not seen any updates to the code. Thus, I wanted to touch base about this and see if you are working on it or I missed something. OED would like to integrate this work so we would appreciate knowing the status. If there is no communication by 8/15 then OED may move forward on this work. Thanks for your efforts to date.