@blocklet/xss 0.1.1 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/{lib → cjs}/utils.js +16 -16
- package/es/utils.js +39 -16
- package/package.json +11 -9
- /package/{lib → cjs}/index.d.ts +0 -0
- /package/{lib → cjs}/index.js +0 -0
- /package/{lib → cjs}/types.d.ts +0 -0
- /package/{lib → cjs}/types.js +0 -0
- /package/{lib → cjs}/utils.d.ts +0 -0
package/{lib → cjs}/utils.js
RENAMED
|
@@ -5,31 +5,31 @@ Object.defineProperty(exports, "__esModule", {
|
|
|
5
5
|
});
|
|
6
6
|
exports.initSanitize = void 0;
|
|
7
7
|
var xss = _interopRequireWildcard(require("xss"));
|
|
8
|
+
var _omit = _interopRequireDefault(require("lodash/omit"));
|
|
9
|
+
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
|
|
8
10
|
function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return null; var r = new WeakMap(), t = new WeakMap(); return (_getRequireWildcardCache = function (e) { return e ? t : r; })(e); }
|
|
9
11
|
function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != typeof e && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && Object.prototype.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
|
|
12
|
+
const ignoreTagList = [
|
|
13
|
+
// here is a blacklist
|
|
14
|
+
"script", "img", "iframe", "body", "form", "style", "link", "meta", "bgsound", "svg", "embed", "object", "video", "audio", "source", "track", "marquee", "blink", "noscript", "param", "textarea", "input", "select", "button"];
|
|
15
|
+
const ignoreTagMap = ignoreTagList.reduce((acc, item) => {
|
|
16
|
+
acc[item] = true;
|
|
17
|
+
return acc;
|
|
18
|
+
}, {});
|
|
10
19
|
let defaultOptions = {
|
|
11
20
|
escapeHtml: str => str,
|
|
12
|
-
|
|
21
|
+
whiteList: (0, _omit.default)(xss.getDefaultWhiteList(), ignoreTagList),
|
|
22
|
+
onIgnoreTag: function (tag, html, options) {
|
|
23
|
+
if (ignoreTagMap[tag]) {
|
|
24
|
+
return "";
|
|
25
|
+
}
|
|
26
|
+
},
|
|
13
27
|
stripIgnoreTagBody: ["script"]
|
|
14
28
|
};
|
|
15
|
-
function hasOwn(object, key) {
|
|
16
|
-
const keys = Reflect.ownKeys(object).filter(item => typeof item !== "symbol");
|
|
17
|
-
return keys.includes(key);
|
|
18
|
-
}
|
|
19
|
-
const initializeOptions = options => {
|
|
20
|
-
const sanitizerOptions = {};
|
|
21
|
-
if (hasOwn(options, "allowedKeys") && Array.isArray(options.allowedKeys) && options.allowedKeys.length > 0) {
|
|
22
|
-
sanitizerOptions.allowedKeys = options.allowedKeys;
|
|
23
|
-
}
|
|
24
|
-
if (hasOwn(options, "whiteList") && typeof options.whiteList === "object") {
|
|
25
|
-
sanitizerOptions.whiteList = options.whiteList;
|
|
26
|
-
}
|
|
27
|
-
return sanitizerOptions;
|
|
28
|
-
};
|
|
29
29
|
const initSanitize = (_options = {}) => {
|
|
30
30
|
const options = {
|
|
31
31
|
...defaultOptions,
|
|
32
|
-
...
|
|
32
|
+
..._options
|
|
33
33
|
};
|
|
34
34
|
const xssInstance = new xss.FilterXSS(options);
|
|
35
35
|
const sanitize = data => {
|
package/es/utils.js
CHANGED
|
@@ -1,27 +1,50 @@
|
|
|
1
1
|
import * as xss from "xss";
|
|
2
|
+
import omit from "lodash/omit";
|
|
3
|
+
const ignoreTagList = [
|
|
4
|
+
// here is a blacklist
|
|
5
|
+
"script",
|
|
6
|
+
"img",
|
|
7
|
+
"iframe",
|
|
8
|
+
"body",
|
|
9
|
+
"form",
|
|
10
|
+
"style",
|
|
11
|
+
"link",
|
|
12
|
+
"meta",
|
|
13
|
+
"bgsound",
|
|
14
|
+
"svg",
|
|
15
|
+
"embed",
|
|
16
|
+
"object",
|
|
17
|
+
"video",
|
|
18
|
+
"audio",
|
|
19
|
+
"source",
|
|
20
|
+
"track",
|
|
21
|
+
"marquee",
|
|
22
|
+
"blink",
|
|
23
|
+
"noscript",
|
|
24
|
+
"param",
|
|
25
|
+
"textarea",
|
|
26
|
+
"input",
|
|
27
|
+
"select",
|
|
28
|
+
"button"
|
|
29
|
+
];
|
|
30
|
+
const ignoreTagMap = ignoreTagList.reduce((acc, item) => {
|
|
31
|
+
acc[item] = true;
|
|
32
|
+
return acc;
|
|
33
|
+
}, {});
|
|
2
34
|
let defaultOptions = {
|
|
3
35
|
escapeHtml: (str) => str,
|
|
4
|
-
|
|
36
|
+
whiteList: omit(xss.getDefaultWhiteList(), ignoreTagList),
|
|
37
|
+
onIgnoreTag: function(tag, html, options) {
|
|
38
|
+
if (ignoreTagMap[tag]) {
|
|
39
|
+
return "";
|
|
40
|
+
}
|
|
41
|
+
},
|
|
5
42
|
stripIgnoreTagBody: ["script"]
|
|
6
43
|
};
|
|
7
|
-
function hasOwn(object, key) {
|
|
8
|
-
const keys = Reflect.ownKeys(object).filter((item) => typeof item !== "symbol");
|
|
9
|
-
return keys.includes(key);
|
|
10
|
-
}
|
|
11
|
-
const initializeOptions = (options) => {
|
|
12
|
-
const sanitizerOptions = {};
|
|
13
|
-
if (hasOwn(options, "allowedKeys") && Array.isArray(options.allowedKeys) && options.allowedKeys.length > 0) {
|
|
14
|
-
sanitizerOptions.allowedKeys = options.allowedKeys;
|
|
15
|
-
}
|
|
16
|
-
if (hasOwn(options, "whiteList") && typeof options.whiteList === "object") {
|
|
17
|
-
sanitizerOptions.whiteList = options.whiteList;
|
|
18
|
-
}
|
|
19
|
-
return sanitizerOptions;
|
|
20
|
-
};
|
|
21
44
|
export const initSanitize = (_options = {}) => {
|
|
22
45
|
const options = {
|
|
23
46
|
...defaultOptions,
|
|
24
|
-
...
|
|
47
|
+
..._options
|
|
25
48
|
};
|
|
26
49
|
const xssInstance = new xss.FilterXSS(options);
|
|
27
50
|
const sanitize = (data) => {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blocklet/xss",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.3",
|
|
4
4
|
"description": "blocklet prevent xss attack",
|
|
5
5
|
"publishConfig": {
|
|
6
6
|
"access": "public"
|
|
@@ -8,16 +8,16 @@
|
|
|
8
8
|
"sideEffects": false,
|
|
9
9
|
"exports": {
|
|
10
10
|
".": {
|
|
11
|
-
"require": "./
|
|
11
|
+
"require": "./cjs/index.js",
|
|
12
12
|
"import": "./es/index.js",
|
|
13
|
-
"types": "./
|
|
13
|
+
"types": "./es/index.d.ts"
|
|
14
14
|
}
|
|
15
15
|
},
|
|
16
|
-
"main": "./
|
|
16
|
+
"main": "./cjs/index.js",
|
|
17
17
|
"module": "./es/index.js",
|
|
18
|
-
"types": "./
|
|
18
|
+
"types": "./es/index.d.ts",
|
|
19
19
|
"files": [
|
|
20
|
-
"
|
|
20
|
+
"cjs",
|
|
21
21
|
"es",
|
|
22
22
|
"*.d.ts"
|
|
23
23
|
],
|
|
@@ -28,20 +28,22 @@
|
|
|
28
28
|
"author": "arcblock <blocklet@arcblock.io> https://github.com/blocklet",
|
|
29
29
|
"license": "MIT",
|
|
30
30
|
"dependencies": {
|
|
31
|
+
"lodash": "^4.17.21",
|
|
31
32
|
"xss": "^1.0.14"
|
|
32
33
|
},
|
|
33
34
|
"devDependencies": {
|
|
34
35
|
"@arcblock/eslint-config-ts": "^0.2.4",
|
|
35
36
|
"@types/chai": "^4.3.17",
|
|
36
|
-
"@types/
|
|
37
|
+
"@types/jest": "^29.5.12",
|
|
37
38
|
"@types/supertest": "^6.0.2",
|
|
38
39
|
"body-parser": "^1.20.2",
|
|
39
40
|
"chai": "^5.1.1",
|
|
40
41
|
"eslint": "^8.57.0",
|
|
41
42
|
"esm": "^3.2.25",
|
|
42
43
|
"express": "^4.19.2",
|
|
43
|
-
"
|
|
44
|
+
"jest": "^29.7.0",
|
|
44
45
|
"supertest": "^7.0.0",
|
|
46
|
+
"ts-jest": "^29.2.5",
|
|
45
47
|
"ts-node": "^10.9.2",
|
|
46
48
|
"typescript": "^5.4.5",
|
|
47
49
|
"unbuild": "^2.0.0"
|
|
@@ -54,6 +56,6 @@
|
|
|
54
56
|
"prepublish": "pnpm run build",
|
|
55
57
|
"prebuild:dep": "pnpm run build",
|
|
56
58
|
"preversion": "npm run lint && npm run test",
|
|
57
|
-
"test": "
|
|
59
|
+
"test": "jest"
|
|
58
60
|
}
|
|
59
61
|
}
|
/package/{lib → cjs}/index.d.ts
RENAMED
|
File without changes
|
/package/{lib → cjs}/index.js
RENAMED
|
File without changes
|
/package/{lib → cjs}/types.d.ts
RENAMED
|
File without changes
|
/package/{lib → cjs}/types.js
RENAMED
|
File without changes
|
/package/{lib → cjs}/utils.d.ts
RENAMED
|
File without changes
|