Centralize and Fix DOMPurify Sanitizer

[Zachary-Squires]

Description

Merges changes from PR #1488 (#1488) and fixes the issue where the update to DOMPurify and jsdom was not reflected in the package-lock.json file. Now that DOMPurify is properly implemented the cross-site scripting vulnerability when users upload meter data should be remediated.

Developed and Implemented by:
Zachary Squires - https://github.com/Zachary-Squires
Zachary Bates - https://github.com/Zach-O-Bates
Krista Clanton - https://github.com/Quillen09

Type of change

• Note merging this changes the database configuration.
• This change requires a documentation update

Checklist

(Note what you have done by placing an "x" instead of the space in the [ ] so it becomes [x]. It is hoped you do all of them.)

• [x ] I have followed the OED pull request ideas
• I have removed text in ( ) from the issue request
• [x ] You acknowledge that every person contributing to this work has signed the OED Contributing License Agreement and each author is listed in the Description section.

Limitations

N/A

[huss]

Thanks to @Zachary-Squires, @Zach-O-Bates & @Quillen09 for their first contribution to OED. I'm sorry this took so long as my time was directed elsewhere. I have made a some comments to consider. I note that several are not your changes to the previous PR but should be addressed. Second, here are some file-level comments:

• Several files seem to have the only change as the file attributes of 755 (rwxr-xr-x) TO 644 (rw-r--r--). These are:

  • src/scripts/. These were set the have execute (x) so that copying them to the cron location (per site installation directions) would make them executable as normally done. It saves doing this manually. I see that one could accidentally execute the file via the script directory and this change avoids that. However, I think it might be better to either do this for all cron sample files (the refresh*.bash do not seem changed) or none. It also seems a different area than the pull request and is not in the description. I'm open to a discussion of this but would be inclined to make this a separate pull request if people want to do this. The files that seem to have these changes are:

    • sendLogEmailCron.bash
    • updateEgaugeMetersOEDCron.bash
    • updateMamacMetersOEDCron.bash

  • docker-compose.yml changed but I think that is okay as it is a configuration file.

• Five files in src/server/test/web/readingsData/*.csv are shown as having changes but it seems to show the line as deleted and then the same line added. I'm not sure why this is happening but maybe it relates to the change in .gitattributes? Do you have any ideas?

  • Update: I manually checked each file and there are no diffs. I suspect this is due to saving a file (maybe due to line endings that were then put back?) and this is confusing git. I'm going to ignore this listed change and accept it.

Please let me know if you have any questions/thoughts.

[huss]

@Zachary-Squires, @Zach-O-Bates & @Quillen09 I looked over the changes. I've left the comments that did not seem to be addressed and added a couple of more comments. I'm waiting to do final testing until everything is resolved. Please let me know if you have any questions/thoughts.

[huss]

Thanks to @Zachary-Squires, @Zach-O-Bates & @Quillen09 for the updated code. I've made a few comments to address. Also, The comment from 10/27 on the scripts and .csv files showing changes is still present. I think it needs to be resolved. Please let me know if something is not clear or you need anything.

[huss]

I think testing for .not having "alert" (and maybe other strings?) would strengthen this test.