@adobe/htlengine 6.4.2 → 6.4.4

package/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

package/.nycrc.json

@@ -5,5 +5,9 @@
     "lcov",
     "text",
     "text-summary"
-  ]
+  ],
+  "check-coverage": true,
+  "lines": 95,
+  "branches": 89,
+  "statements": 95
 }

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [6.4.4](https://github.com/adobe/htlengine/compare/v6.4.3...v6.4.4) (2022-11-14)
+
+
+### Bug Fixes
+
+* **deps:** update external fixes ([#439](https://github.com/adobe/htlengine/issues/439)) ([7de4463](https://github.com/adobe/htlengine/commit/7de4463e5e210a3533342548234869eae6cfdc7c))
+
+## [6.4.3](https://github.com/adobe/htlengine/compare/v6.4.2...v6.4.3) (2022-09-30)
+
+
+### Bug Fixes
+
+* use dompurify ([#431](https://github.com/adobe/htlengine/issues/431)) ([276e607](https://github.com/adobe/htlengine/commit/276e607a1c34dacb39a52891941e464bc036142a))
+
 ## [6.4.2](https://github.com/adobe/htlengine/compare/v6.4.1...v6.4.2) (2022-04-16)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/htlengine",
-  "version": "6.4.2",
+  "version": "6.4.4",
   "description": "Javascript Based HTL (Sightly) parser",
   "main": "src/index.js",
   "license": "Apache-2.0",
@@ -17,53 +17,46 @@
     "build:railroad": "nearley-railroad ./src/parser/grammar/sightly.ne  --out ./src/parser/generated/grammar.html",
     "semantic-release": "semantic-release",
     "start": "node src/run.js",
-    "test": "c8 --check-coverage --branches 68 --statements 82 --lines 82 mocha",
-    "test-ci": "npm run lint && npm run test && codecov",
-    "lint": "eslint ."
+    "test": "c8 mocha",
+    "lint": "eslint .",
+    "prepare": "husky install"
   },
   "dependencies": {
+    "dompurify": "2.4.1",
     "fs-extra": "10.1.0",
     "he": "1.2.0",
-    "moment": "2.29.2",
-    "moo": "0.5.1",
+    "jsdom": "20.0.2",
+    "moment": "2.29.4",
+    "moo": "0.5.2",
     "nearley": "2.20.1",
     "node-esapi": "0.0.1",
     "numeral": "2.0.6",
     "rehype-parse": "7.0.1",
-    "sanitizer": "0.1.3",
-    "source-map": "0.7.3",
+    "source-map": "0.7.4",
     "unified": "9.2.2",
     "unist-util-inspect": "6.0.1",
-    "xregexp": "5.1.0"
+    "xregexp": "5.1.1"
   },
   "devDependencies": {
     "@semantic-release/changelog": "6.0.1",
     "@semantic-release/git": "10.0.1",
-    "@semantic-release/github": "8.0.4",
-    "c8": "7.11.0",
-    "codecov": "3.8.3",
-    "eslint": "8.13.0",
+    "c8": "7.12.0",
+    "eslint": "8.27.0",
     "eslint-config-airbnb-base": "15.0.0",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
-    "ghooks": "2.0.4",
-    "jsdom": "19.0.0",
-    "lint-staged": "12.3.8",
-    "mocha": "9.2.2",
-    "mocha-junit-reporter": "2.0.2",
+    "husky": "8.0.2",
+    "lint-staged": "13.0.3",
+    "mocha": "10.1.0",
+    "mocha-junit-reporter": "2.1.1",
     "rehype-stringify": "8.0.0",
     "remark-parse": "9.0.0",
     "remark-rehype": "8.1.0",
-    "semantic-release": "19.0.2"
+    "semantic-release": "19.0.5"
   },
   "lint-staged": {
     "*.js": "eslint"
   },
-  "config": {
-    "ghooks": {
-      "pre-commit": "npx lint-staged"
-    }
-  },
   "bugs": {
     "url": "https://github.com/adobe/htlengine/issues"
   },

package/src/runtime/xss_api.js

@@ -12,9 +12,12 @@
 
 'use strict';
 
-const sanitizer = require('sanitizer');
 const esapiEncoder = require('node-esapi').encoder();
 const XRegExp = require('xregexp');
+const createDOMPurify = require('dompurify');
+const { JSDOM } = require('jsdom');
+
+const DOMPurify = createDOMPurify(new JSDOM('').window);
 
 const RESERVED_WORDS = {
   break: true,
@@ -144,48 +147,6 @@ function sanitizeURL(url) {
   return '';
 }
 
-/**
- * Sanitizes the specified attribute in the given array if present.
- *
- * @param {string} attribute the attribute to sanitize
- * @param {*} attribs the attributes array to sanitize from
- * @returns {object} the sanitized attribute and it's index in the array, or an empty object
- */
-function sanitizeURLOnAttr(attribute, attribs) {
-  const index = attribs.indexOf(attribute);
-  if (index > -1) {
-    return { index, sanitizedUrl: sanitizeURL(attribs[index + 1]) || null };
-  }
-  return {};
-}
-
-/**
- * A sanitization policy that validates src/href attributes against the URI scheme.
- *
- * @param {string} tagName The name of the tag currently parsed
- * @param {string[]} attribs An array of attribute names and values
- * @returns {object} the resulting sanitized attributes
- */
-function sanitizeURLPolicy(tagName, attribs) {
-  const initial = [].concat(attribs);
-  const result = sanitizer.makeTagPolicy()(tagName, attribs);
-  if (tagName === 'a') {
-    const { index, sanitizedUrl } = sanitizeURLOnAttr('href', initial);
-    result.attribs[index + 1] = sanitizedUrl;
-  } else if (tagName === 'img') {
-    const { index, sanitizedUrl } = sanitizeURLOnAttr('src', initial);
-    result.attribs[index + 1] = sanitizedUrl;
-  }
-  return result;
-}
-
-// function parseValidNumber(input) {
-//   if (NUMBER_PATTERN.test(input)) {
-//     return parseInt(input, 10);
-//   }
-//   return undefined;
-// }
-//
 /* eslint-disable no-underscore-dangle */
 const _NON_ASCII = '\\x00\\x08\\x0B\\x0C\\x0E-\\x1F';
 /** http://www.w3.org/TR/css-syntax-3/#number-token-diagram */
@@ -242,7 +203,7 @@ module.exports = {
    * @returns {String}
    */
   filterHTML(input) {
-    return sanitizer.sanitizeWithPolicy(input, sanitizeURLPolicy);
+    return DOMPurify.sanitize(input, { USE_PROFILES: { html: true } });
   },
 
   /**