@abgov/jsonforms-components 2.47.4 → 2.47.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.esm.js +83 -1
  2. package/package.json +3 -1
  3. package/src/lib/common/sanitize.d.ts +19 -0
package/index.esm.js CHANGED
@@ -14,6 +14,8 @@ import merge from 'lodash/merge';
14
14
  import isEmpty from 'lodash/isEmpty';
15
15
  import range from 'lodash/range';
16
16
  import pluralize from 'pluralize';
17
+ import dompurify from 'dompurify';
18
+ import * as xss from 'xss';
17
19
  import { evaluateSync, compileSync } from '@mdx-js/mdx';
18
20
  import { Parser } from 'expr-eval-fork';
19
21
  import addErrors from 'ajv-errors';
@@ -13193,6 +13195,81 @@ const SummaryRow = ({
13193
13195
  });
13194
13196
  };
13195
13197
 
13198
+ const options = {
13199
+ whiteList: {
13200
+ html: ['lang'],
13201
+ meta: ['name', 'content', 'charset'],
13202
+ div: ['style', 'class'],
13203
+ style: [],
13204
+ a: ['href', 'title', 'target', 'style', 'class'],
13205
+ em: [],
13206
+ main: [],
13207
+ footer: ['style'],
13208
+ header: ['style'],
13209
+ head: [],
13210
+ abbr: ['title', 'style'],
13211
+ title: [],
13212
+ address: ['style'],
13213
+ area: ['shape', 'coords', 'href', 'alt', 'style'],
13214
+ article: [],
13215
+ blockquote: [],
13216
+ aside: [],
13217
+ details: [],
13218
+ h1: [],
13219
+ h2: [],
13220
+ h3: [],
13221
+ h4: [],
13222
+ h5: [],
13223
+ h6: [],
13224
+ hr: [],
13225
+ i: [],
13226
+ img: ['src', 'alt', 'title', 'width', 'height'],
13227
+ ins: ['datetime'],
13228
+ li: [],
13229
+ mark: [],
13230
+ nav: [],
13231
+ ol: [],
13232
+ p: [],
13233
+ pre: [],
13234
+ s: [],
13235
+ section: [],
13236
+ small: [],
13237
+ span: ['class', 'style'],
13238
+ sub: [],
13239
+ summary: [],
13240
+ sup: [],
13241
+ select: [],
13242
+ optgroup: [],
13243
+ form: [],
13244
+ strong: [],
13245
+ label: [],
13246
+ strike: [],
13247
+ table: ['width', 'border', 'align', 'valign', 'class', 'style'],
13248
+ tbody: ['align', 'valign', 'class', 'style'],
13249
+ body: ['class', 'style'],
13250
+ td: ['width', 'rowspan', 'colspan', 'align', 'valign', 'class', 'style'],
13251
+ tfoot: ['align', 'valign', 'class', 'style'],
13252
+ th: ['width', 'rowspan', 'colspan', 'align', 'valign', 'class', 'style'],
13253
+ thead: ['align', 'valign'],
13254
+ tr: ['rowspan', 'align', 'valign'],
13255
+ tt: [],
13256
+ u: [],
13257
+ ul: [],
13258
+ br: [],
13259
+ b: [],
13260
+ option: []
13261
+ }
13262
+ }; // Custom rules
13263
+ new xss.FilterXSS(options);
13264
+ const sanitizeHtml = dompurify.sanitize;
13265
+ dompurify.addHook('afterSanitizeAttributes', function (node) {
13266
+ // set all elements owning target to target=_blank
13267
+ if ('target' in node) {
13268
+ node.setAttribute('target', '_blank');
13269
+ node.setAttribute('rel', 'noopener noreferrer');
13270
+ }
13271
+ });
13272
+
13196
13273
  const _excluded$1 = ["type"];
13197
13274
  const AdditionalInstructionsRow = ({
13198
13275
  additionalInstructions,
@@ -13203,6 +13280,7 @@ const AdditionalInstructionsRow = ({
13203
13280
  const type = validTypes.includes(calloutType) ? calloutType : 'information';
13204
13281
  const _ref = componentProps || {},
13205
13282
  otherProps = _objectWithoutPropertiesLoose(_ref, _excluded$1);
13283
+ const sanitizedHtml = sanitizeHtml(additionalInstructions);
13206
13284
  return jsx("tr", {
13207
13285
  children: jsx("td", {
13208
13286
  colSpan: 2,
@@ -13211,7 +13289,11 @@ const AdditionalInstructionsRow = ({
13211
13289
  mt: "xl",
13212
13290
  mb: "l"
13213
13291
  }, otherProps, {
13214
- children: additionalInstructions
13292
+ children: jsx("div", {
13293
+ dangerouslySetInnerHTML: {
13294
+ __html: sanitizedHtml
13295
+ }
13296
+ })
13215
13297
  }))
13216
13298
  })
13217
13299
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@abgov/jsonforms-components",
3
- "version": "2.47.4",
3
+ "version": "2.47.5",
4
4
  "license": "Apache-2.0",
5
5
  "description": "Government of Alberta - React renderers for JSON Forms based on the design system.",
6
6
  "repository": "https://github.com/GovAlta/adsp-monorepo",
@@ -10,6 +10,8 @@
10
10
  "@jsonforms/core": "^3.1.0",
11
11
  "@jsonforms/react": "^3.1.0",
12
12
  "react": "^18.0.0",
13
+ "dompurify": "^3.2.4",
14
+ "xss": "^1.0.15",
13
15
  "ajv": "^8.6.1",
14
16
  "ajv-errors": "^3.0.0",
15
17
  "ajv-formats": "^3.0.1",
package/src/lib/common/sanitize.d.ts ADDED
@@ -0,0 +1,19 @@
1
+ import dompurify from 'dompurify';
2
+ export declare const sanitizeHtml: {
3
+ (dirty: string | Node, cfg: dompurify.Config & {
4
+ RETURN_TRUSTED_TYPE: true;
5
+ }): import("trusted-types/lib").TrustedHTML;
6
+ (dirty: Node, cfg: dompurify.Config & {
7
+ IN_PLACE: true;
8
+ }): Node;
9
+ (dirty: string | Node, cfg: dompurify.Config & {
10
+ RETURN_DOM: true;
11
+ }): Node;
12
+ (dirty: string | Node, cfg: dompurify.Config & {
13
+ RETURN_DOM_FRAGMENT: true;
14
+ }): DocumentFragment;
15
+ (dirty: string | Node, cfg?: dompurify.Config): string;
16
+ };
17
+ export declare function hasXSS(html: string): boolean;
18
+ export declare const htmlSanitized: (html: string) => string;
19
+ export declare const XSSErrorMessage = "The template contains content that could expose users to Cross Site Scripting attacks. Remove risky elements like <script> to save the template.";