@adobe/htlengine 6.4.1 → 6.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.husky/pre-commit +4 -0
- package/.nycrc.json +5 -1
- package/.renovaterc.json +27 -1
- package/CHANGELOG.md +14 -0
- package/package.json +17 -24
- package/src/runtime/xss_api.js +5 -44
package/.nycrc.json
CHANGED
package/.renovaterc.json
CHANGED
|
@@ -1,3 +1,29 @@
|
|
|
1
1
|
{
|
|
2
|
-
"extends": ["github>adobe/helix-shared"]
|
|
2
|
+
"extends": ["github>adobe/helix-shared"],
|
|
3
|
+
"packageRules": [
|
|
4
|
+
{
|
|
5
|
+
"packageNames": ["rehype-parse"],
|
|
6
|
+
"allowedVersions": "<8.0.0"
|
|
7
|
+
},
|
|
8
|
+
{
|
|
9
|
+
"packageNames": ["rehype-stringify"],
|
|
10
|
+
"allowedVersions": "<9.0.0"
|
|
11
|
+
},
|
|
12
|
+
{
|
|
13
|
+
"packageNames": ["remark-rehype"],
|
|
14
|
+
"allowedVersions": "<9.0.0"
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"packageNames": ["remark-parse"],
|
|
18
|
+
"allowedVersions": "<10.0.0"
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
"packageNames": ["unified"],
|
|
22
|
+
"allowedVersions": "<10.0.0"
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"packageNames": ["unist-util-inspect"],
|
|
26
|
+
"allowedVersions": "<7.0.0"
|
|
27
|
+
}
|
|
28
|
+
]
|
|
3
29
|
}
|
package/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,17 @@
|
|
|
1
|
+
## [6.4.3](https://github.com/adobe/htlengine/compare/v6.4.2...v6.4.3) (2022-09-30)
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
### Bug Fixes
|
|
5
|
+
|
|
6
|
+
* use dompurify ([#431](https://github.com/adobe/htlengine/issues/431)) ([276e607](https://github.com/adobe/htlengine/commit/276e607a1c34dacb39a52891941e464bc036142a))
|
|
7
|
+
|
|
8
|
+
## [6.4.2](https://github.com/adobe/htlengine/compare/v6.4.1...v6.4.2) (2022-04-16)
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
### Bug Fixes
|
|
12
|
+
|
|
13
|
+
* **deps:** update dependency fs-extra to v10.1.0 ([#409](https://github.com/adobe/htlengine/issues/409)) ([b10849f](https://github.com/adobe/htlengine/commit/b10849f64da82b7bf1b9ebc5ca1ba08296a98475))
|
|
14
|
+
|
|
1
15
|
## [6.4.1](https://github.com/adobe/htlengine/compare/v6.4.0...v6.4.1) (2022-02-23)
|
|
2
16
|
|
|
3
17
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@adobe/htlengine",
|
|
3
|
-
"version": "6.4.
|
|
3
|
+
"version": "6.4.3",
|
|
4
4
|
"description": "Javascript Based HTL (Sightly) parser",
|
|
5
5
|
"main": "src/index.js",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -17,53 +17,46 @@
|
|
|
17
17
|
"build:railroad": "nearley-railroad ./src/parser/grammar/sightly.ne --out ./src/parser/generated/grammar.html",
|
|
18
18
|
"semantic-release": "semantic-release",
|
|
19
19
|
"start": "node src/run.js",
|
|
20
|
-
"test": "c8
|
|
21
|
-
"
|
|
22
|
-
"
|
|
20
|
+
"test": "c8 mocha",
|
|
21
|
+
"lint": "eslint .",
|
|
22
|
+
"prepare": "husky install"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"
|
|
25
|
+
"dompurify": "2.4.0",
|
|
26
|
+
"fs-extra": "10.1.0",
|
|
26
27
|
"he": "1.2.0",
|
|
27
|
-
"
|
|
28
|
+
"jsdom": "20.0.0",
|
|
29
|
+
"moment": "2.29.4",
|
|
28
30
|
"moo": "0.5.1",
|
|
29
31
|
"nearley": "2.20.1",
|
|
30
32
|
"node-esapi": "0.0.1",
|
|
31
33
|
"numeral": "2.0.6",
|
|
32
34
|
"rehype-parse": "7.0.1",
|
|
33
|
-
"
|
|
34
|
-
"source-map": "0.7.3",
|
|
35
|
+
"source-map": "0.7.4",
|
|
35
36
|
"unified": "9.2.2",
|
|
36
37
|
"unist-util-inspect": "6.0.1",
|
|
37
|
-
"xregexp": "5.1.
|
|
38
|
+
"xregexp": "5.1.1"
|
|
38
39
|
},
|
|
39
40
|
"devDependencies": {
|
|
40
41
|
"@semantic-release/changelog": "6.0.1",
|
|
41
42
|
"@semantic-release/git": "10.0.1",
|
|
42
|
-
"
|
|
43
|
-
"
|
|
44
|
-
"codecov": "3.8.3",
|
|
45
|
-
"eslint": "8.9.0",
|
|
43
|
+
"c8": "7.12.0",
|
|
44
|
+
"eslint": "8.24.0",
|
|
46
45
|
"eslint-config-airbnb-base": "15.0.0",
|
|
47
46
|
"eslint-plugin-header": "3.1.1",
|
|
48
|
-
"eslint-plugin-import": "2.
|
|
49
|
-
"
|
|
50
|
-
"
|
|
51
|
-
"
|
|
52
|
-
"mocha": "9.2.1",
|
|
47
|
+
"eslint-plugin-import": "2.26.0",
|
|
48
|
+
"husky": "8.0.1",
|
|
49
|
+
"lint-staged": "13.0.3",
|
|
50
|
+
"mocha": "10.0.0",
|
|
53
51
|
"mocha-junit-reporter": "2.0.2",
|
|
54
52
|
"rehype-stringify": "8.0.0",
|
|
55
53
|
"remark-parse": "9.0.0",
|
|
56
54
|
"remark-rehype": "8.1.0",
|
|
57
|
-
"semantic-release": "19.0.
|
|
55
|
+
"semantic-release": "19.0.5"
|
|
58
56
|
},
|
|
59
57
|
"lint-staged": {
|
|
60
58
|
"*.js": "eslint"
|
|
61
59
|
},
|
|
62
|
-
"config": {
|
|
63
|
-
"ghooks": {
|
|
64
|
-
"pre-commit": "npx lint-staged"
|
|
65
|
-
}
|
|
66
|
-
},
|
|
67
60
|
"bugs": {
|
|
68
61
|
"url": "https://github.com/adobe/htlengine/issues"
|
|
69
62
|
},
|
package/src/runtime/xss_api.js
CHANGED
|
@@ -12,9 +12,12 @@
|
|
|
12
12
|
|
|
13
13
|
'use strict';
|
|
14
14
|
|
|
15
|
-
const sanitizer = require('sanitizer');
|
|
16
15
|
const esapiEncoder = require('node-esapi').encoder();
|
|
17
16
|
const XRegExp = require('xregexp');
|
|
17
|
+
const createDOMPurify = require('dompurify');
|
|
18
|
+
const { JSDOM } = require('jsdom');
|
|
19
|
+
|
|
20
|
+
const DOMPurify = createDOMPurify(new JSDOM('').window);
|
|
18
21
|
|
|
19
22
|
const RESERVED_WORDS = {
|
|
20
23
|
break: true,
|
|
@@ -144,48 +147,6 @@ function sanitizeURL(url) {
|
|
|
144
147
|
return '';
|
|
145
148
|
}
|
|
146
149
|
|
|
147
|
-
/**
|
|
148
|
-
* Sanitizes the specified attribute in the given array if present.
|
|
149
|
-
*
|
|
150
|
-
* @param {string} attribute the attribute to sanitize
|
|
151
|
-
* @param {*} attribs the attributes array to sanitize from
|
|
152
|
-
* @returns {object} the sanitized attribute and it's index in the array, or an empty object
|
|
153
|
-
*/
|
|
154
|
-
function sanitizeURLOnAttr(attribute, attribs) {
|
|
155
|
-
const index = attribs.indexOf(attribute);
|
|
156
|
-
if (index > -1) {
|
|
157
|
-
return { index, sanitizedUrl: sanitizeURL(attribs[index + 1]) || null };
|
|
158
|
-
}
|
|
159
|
-
return {};
|
|
160
|
-
}
|
|
161
|
-
|
|
162
|
-
/**
|
|
163
|
-
* A sanitization policy that validates src/href attributes against the URI scheme.
|
|
164
|
-
*
|
|
165
|
-
* @param {string} tagName The name of the tag currently parsed
|
|
166
|
-
* @param {string[]} attribs An array of attribute names and values
|
|
167
|
-
* @returns {object} the resulting sanitized attributes
|
|
168
|
-
*/
|
|
169
|
-
function sanitizeURLPolicy(tagName, attribs) {
|
|
170
|
-
const initial = [].concat(attribs);
|
|
171
|
-
const result = sanitizer.makeTagPolicy()(tagName, attribs);
|
|
172
|
-
if (tagName === 'a') {
|
|
173
|
-
const { index, sanitizedUrl } = sanitizeURLOnAttr('href', initial);
|
|
174
|
-
result.attribs[index + 1] = sanitizedUrl;
|
|
175
|
-
} else if (tagName === 'img') {
|
|
176
|
-
const { index, sanitizedUrl } = sanitizeURLOnAttr('src', initial);
|
|
177
|
-
result.attribs[index + 1] = sanitizedUrl;
|
|
178
|
-
}
|
|
179
|
-
return result;
|
|
180
|
-
}
|
|
181
|
-
|
|
182
|
-
// function parseValidNumber(input) {
|
|
183
|
-
// if (NUMBER_PATTERN.test(input)) {
|
|
184
|
-
// return parseInt(input, 10);
|
|
185
|
-
// }
|
|
186
|
-
// return undefined;
|
|
187
|
-
// }
|
|
188
|
-
//
|
|
189
150
|
/* eslint-disable no-underscore-dangle */
|
|
190
151
|
const _NON_ASCII = '\\x00\\x08\\x0B\\x0C\\x0E-\\x1F';
|
|
191
152
|
/** http://www.w3.org/TR/css-syntax-3/#number-token-diagram */
|
|
@@ -242,7 +203,7 @@ module.exports = {
|
|
|
242
203
|
* @returns {String}
|
|
243
204
|
*/
|
|
244
205
|
filterHTML(input) {
|
|
245
|
-
return
|
|
206
|
+
return DOMPurify.sanitize(input, { USE_PROFILES: { html: true } });
|
|
246
207
|
},
|
|
247
208
|
|
|
248
209
|
/**
|