@blocklet/xss 0.2.7 → 0.2.9

package/cjs/index.d.ts

@@ -8,6 +8,6 @@ declare const _default: {
         name?: string;
         type?: string;
     }) => boolean;
-    sanitizeSvg: (svgContent: string) => string;
+    sanitizeSvg: (svgContent: string, options?: SanitizeOptions, svgOptions?: import("xss").IFilterXSSOptions) => string;
 };
 export default _default;

package/cjs/types.d.ts

@@ -1,4 +1,5 @@
 import * as xss from 'xss';
 export interface SanitizeOptions extends xss.IFilterXSSOptions {
     allowedKeys?: string[];
+    preserveCase?: boolean;
 }

package/cjs/utils.d.ts

@@ -1,6 +1,27 @@
+import * as xss from 'xss';
 import { SanitizeOptions } from './types';
 export declare const initSanitize: (_options?: SanitizeOptions) => any;
-export declare const sanitizeSvg: (svgContent: string) => string;
+export declare const svgWhiteList: {
+    svg: string[];
+    circle: string[];
+    ellipse: string[];
+    line: string[];
+    path: string[];
+    polygon: string[];
+    polyline: string[];
+    rect: string[];
+    g: string[];
+    text: string[];
+    defs: never[];
+    clipPath: string[];
+    mask: string[];
+    use: string[];
+    linearGradient: string[];
+    radialGradient: string[];
+    stop: string[];
+    pattern: string[];
+};
+export declare const sanitizeSvg: (svgContent: string, options?: SanitizeOptions, svgOptions?: xss.IFilterXSSOptions) => string;
 export declare const isSvgFile: (svgContent: string, file?: {
     name?: string;
     type?: string;

package/cjs/utils.js

@@ -3,8 +3,9 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.sanitizeSvg = exports.isSvgFile = exports.initSanitize = void 0;
-var xss = _interopRequireWildcard(require("xss"));
+exports.svgWhiteList = exports.sanitizeSvg = exports.isSvgFile = exports.initSanitize = void 0;
+var _xss = _interopRequireWildcard(require("xss"));
+var xss = _xss;
 var _omit = _interopRequireDefault(require("lodash/omit"));
 var _path = _interopRequireDefault(require("path"));
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
@@ -25,22 +26,32 @@ let defaultOptions = {
       return "";
     }
   },
+  onTagAttr: (tag, html) => {
+    if (tag === "!BACKUP") {
+      return html;
+    }
+  },
   stripIgnoreTagBody: ["script"]
 };
+function advanceProcess(html, options) {
+  while (html !== (0, _xss.filterXSS)(html, options)) {
+    html = (0, _xss.filterXSS)(html, options);
+  }
+  return html;
+}
 const initSanitize = (_options = {}) => {
   const options = {
     ...defaultOptions,
     ..._options
   };
-  const xssInstance = new xss.FilterXSS(options);
   const sanitize = data => {
     if (typeof data === "string") {
-      return xssInstance.process(data);
+      return advanceProcess(data, options);
     }
     if (Array.isArray(data)) {
       return data.map(item => {
         if (typeof item === "string") {
-          return xssInstance.process(item);
+          return advanceProcess(item, options);
         }
         if (Array.isArray(item) || typeof item === "object") {
           return sanitize(item);
@@ -55,7 +66,7 @@ const initSanitize = (_options = {}) => {
         }
         const item = data[key];
         if (typeof item === "string") {
-          data[key] = xssInstance.process(item);
+          data[key] = advanceProcess(item, options);
         } else if (Array.isArray(item) || typeof item === "object") {
           data[key] = sanitize(item);
         }
@@ -66,7 +77,38 @@ const initSanitize = (_options = {}) => {
   return sanitize;
 };
 exports.initSanitize = initSanitize;
-const svgWhiteList = {
+function preserveTagCase(content) {
+  const tagCaseMapping = {};
+  Object.keys(svgWhiteList).forEach(originalTag => {
+    const lowerCaseTag = originalTag.toLowerCase();
+    if (lowerCaseTag !== originalTag) {
+      tagCaseMapping[lowerCaseTag] = originalTag;
+    }
+  });
+  let result = content;
+  Object.entries(tagCaseMapping).forEach(([lowercase, original]) => {
+    result = result.replace(new RegExp(`<${lowercase}([^>]*)>`, "gi"), (_match, rest) => `<${original}${rest}>`);
+    result = result.replace(new RegExp(`</${lowercase}>`, "gi"), `</${original}>`);
+  });
+  return result;
+}
+function preserveAttrCase(tag, name, value, isWhiteAttr) {
+  if (isWhiteAttr) {
+    const originalTagKey = Object.keys(svgWhiteList).find(key => key.toLowerCase() === tag.toLowerCase());
+    if (originalTagKey) {
+      const originalAttrName = svgWhiteList[originalTagKey].find(attr => attr.toLowerCase() === name.toLowerCase());
+      if (originalAttrName) {
+        value = xss.safeAttrValue(tag, name, value);
+        if (value) {
+          return originalAttrName + '="' + value + '"';
+        } else {
+          return originalAttrName;
+        }
+      }
+    }
+  }
+}
+const svgWhiteList = exports.svgWhiteList = {
   svg: ["width", "height", "viewBox", "xmlns", "version", "preserveAspectRatio", "xml:space"],
   circle: ["cx", "cy", "r", "fill", "stroke", "stroke-width", "fill-opacity", "stroke-opacity"],
   ellipse: ["cx", "cy", "rx", "ry", "fill", "stroke", "stroke-width"],
@@ -114,13 +156,20 @@ const svgSanitizeOptions = {
     }
   }
 };
-const sanitizeSvg = svgContent => {
+const sanitizeSvg = (svgContent, options, svgOptions) => {
   const isSvg = isSvgFile(svgContent);
   if (!isSvg) {
     throw new Error("Invalid SVG content");
   }
-  const xssInstance = new xss.FilterXSS(svgSanitizeOptions);
-  return xssInstance.process(svgContent);
+  const filterOptions = {
+    ...svgSanitizeOptions,
+    ...(svgOptions || {})
+  };
+  if (options?.preserveCase) {
+    filterOptions.onTagAttr = preserveAttrCase;
+  }
+  const processedContent = advanceProcess(svgContent, filterOptions);
+  return options?.preserveCase ? preserveTagCase(processedContent) : processedContent;
 };
 exports.sanitizeSvg = sanitizeSvg;
 const isSvgFile = (svgContent, file) => {

package/es/index.d.ts

@@ -8,6 +8,6 @@ declare const _default: {
         name?: string;
         type?: string;
     }) => boolean;
-    sanitizeSvg: (svgContent: string) => string;
+    sanitizeSvg: (svgContent: string, options?: SanitizeOptions, svgOptions?: import("xss").IFilterXSSOptions) => string;
 };
 export default _default;

package/es/types.d.ts

@@ -1,4 +1,5 @@
 import * as xss from 'xss';
 export interface SanitizeOptions extends xss.IFilterXSSOptions {
     allowedKeys?: string[];
+    preserveCase?: boolean;
 }

package/es/utils.d.ts

@@ -1,6 +1,27 @@
+import * as xss from 'xss';
 import { SanitizeOptions } from './types';
 export declare const initSanitize: (_options?: SanitizeOptions) => any;
-export declare const sanitizeSvg: (svgContent: string) => string;
+export declare const svgWhiteList: {
+    svg: string[];
+    circle: string[];
+    ellipse: string[];
+    line: string[];
+    path: string[];
+    polygon: string[];
+    polyline: string[];
+    rect: string[];
+    g: string[];
+    text: string[];
+    defs: never[];
+    clipPath: string[];
+    mask: string[];
+    use: string[];
+    linearGradient: string[];
+    radialGradient: string[];
+    stop: string[];
+    pattern: string[];
+};
+export declare const sanitizeSvg: (svgContent: string, options?: SanitizeOptions, svgOptions?: xss.IFilterXSSOptions) => string;
 export declare const isSvgFile: (svgContent: string, file?: {
     name?: string;
     type?: string;

package/es/utils.js

@@ -1,4 +1,5 @@
 import * as xss from "xss";
+import { filterXSS } from "xss";
 import omit from "lodash/omit";
 import path from "path";
 const ignoreTagList = [
@@ -40,22 +41,32 @@ let defaultOptions = {
       return "";
     }
   },
+  onTagAttr: (tag, html) => {
+    if (tag === "!BACKUP") {
+      return html;
+    }
+  },
   stripIgnoreTagBody: ["script"]
 };
+function advanceProcess(html, options) {
+  while (html !== filterXSS(html, options)) {
+    html = filterXSS(html, options);
+  }
+  return html;
+}
 export const initSanitize = (_options = {}) => {
   const options = {
     ...defaultOptions,
     ..._options
   };
-  const xssInstance = new xss.FilterXSS(options);
   const sanitize = (data) => {
     if (typeof data === "string") {
-      return xssInstance.process(data);
+      return advanceProcess(data, options);
     }
     if (Array.isArray(data)) {
       return data.map((item) => {
         if (typeof item === "string") {
-          return xssInstance.process(item);
+          return advanceProcess(item, options);
         }
         if (Array.isArray(item) || typeof item === "object") {
           return sanitize(item);
@@ -70,7 +81,7 @@ export const initSanitize = (_options = {}) => {
         }
         const item = data[key];
         if (typeof item === "string") {
-          data[key] = xssInstance.process(item);
+          data[key] = advanceProcess(item, options);
         } else if (Array.isArray(item) || typeof item === "object") {
           data[key] = sanitize(item);
         }
@@ -80,7 +91,40 @@ export const initSanitize = (_options = {}) => {
   };
   return sanitize;
 };
-const svgWhiteList = {
+function preserveTagCase(content) {
+  const tagCaseMapping = {};
+  Object.keys(svgWhiteList).forEach((originalTag) => {
+    const lowerCaseTag = originalTag.toLowerCase();
+    if (lowerCaseTag !== originalTag) {
+      tagCaseMapping[lowerCaseTag] = originalTag;
+    }
+  });
+  let result = content;
+  Object.entries(tagCaseMapping).forEach(([lowercase, original]) => {
+    result = result.replace(new RegExp(`<${lowercase}([^>]*)>`, "gi"), (_match, rest) => `<${original}${rest}>`);
+    result = result.replace(new RegExp(`</${lowercase}>`, "gi"), `</${original}>`);
+  });
+  return result;
+}
+function preserveAttrCase(tag, name, value, isWhiteAttr) {
+  if (isWhiteAttr) {
+    const originalTagKey = Object.keys(svgWhiteList).find((key) => key.toLowerCase() === tag.toLowerCase());
+    if (originalTagKey) {
+      const originalAttrName = svgWhiteList[originalTagKey].find(
+        (attr) => attr.toLowerCase() === name.toLowerCase()
+      );
+      if (originalAttrName) {
+        value = xss.safeAttrValue(tag, name, value);
+        if (value) {
+          return originalAttrName + '="' + value + '"';
+        } else {
+          return originalAttrName;
+        }
+      }
+    }
+  }
+}
+export const svgWhiteList = {
   svg: ["width", "height", "viewBox", "xmlns", "version", "preserveAspectRatio", "xml:space"],
   circle: ["cx", "cy", "r", "fill", "stroke", "stroke-width", "fill-opacity", "stroke-opacity"],
   ellipse: ["cx", "cy", "rx", "ry", "fill", "stroke", "stroke-width"],
@@ -128,13 +172,17 @@ const svgSanitizeOptions = {
     }
   }
 };
-export const sanitizeSvg = (svgContent) => {
+export const sanitizeSvg = (svgContent, options, svgOptions) => {
   const isSvg = isSvgFile(svgContent);
   if (!isSvg) {
     throw new Error("Invalid SVG content");
   }
-  const xssInstance = new xss.FilterXSS(svgSanitizeOptions);
-  return xssInstance.process(svgContent);
+  const filterOptions = { ...svgSanitizeOptions, ...svgOptions || {} };
+  if (options?.preserveCase) {
+    filterOptions.onTagAttr = preserveAttrCase;
+  }
+  const processedContent = advanceProcess(svgContent, filterOptions);
+  return options?.preserveCase ? preserveTagCase(processedContent) : processedContent;
 };
 export const isSvgFile = (svgContent, file) => {
   if (typeof svgContent !== "string") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/xss",
-  "version": "0.2.7",
+  "version": "0.2.9",
   "description": "blocklet prevent xss attack",
   "publishConfig": {
     "access": "public"
@@ -49,7 +49,7 @@
     "unbuild": "^2.0.0"
   },
   "scripts": {
-    "coverage": "pnpm test -- --coverage",
+    "coverage": "npm run test -- --coverage",
     "build": "unbuild",
     "build:watch": "npx nodemon --ext 'ts,tsx,json,js,jsx' --exec 'pnpm run build' --ignore 'lib/*' --ignore 'es/*' ",
     "dev": "pnpm run build:watch",