Fix code scanning alert no. 28: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: vrubezhny

package.json

@@ -74,7 +74,8 @@
 		"public-ui-test": "extest setup-tests -e ./test-resources/extensions -c max -i && npm run test:prepare && extest run-tests out/test/ui/public-ui-test.js -o test/ui/settings.json -m test/ui/.mocharc.js -e ./test-resources/extensions -c max"
 	},
 	"dependencies": {
-		"shelljs": "^0.8.5"
+		"shelljs": "^0.8.5",
+		"dompurify": "^3.2.1"
 	},
 	"devDependencies": {
 		"@codemirror/lang-yaml": "^6.1.1",

src/webview/common/devfileListItem.tsx

@@ -6,6 +6,7 @@ import { Check } from '@mui/icons-material';
 import { Box, Chip, Stack, Tooltip, Typography } from '@mui/material';
 import * as React from 'react';
 import validator from 'validator';
+import DOMPurify from 'dompurify';
 import DevfileLogo from '../../../images/context/devfile.png';
 import { DevfileData, DevfileInfo } from '../../devfile-registry/devfileInfo';
 
@@ -18,7 +19,7 @@ export type DevfileListItemProps = {
 
 function checkedDevfileLogoUrl(logoUrl?: string) {
     if (logoUrl && validator.isURL(logoUrl)) {
-        return logoUrl;
+        return DOMPurify.sanitize(logoUrl);
     }
     return DevfileLogo;
 }