@blocklet/xss 0.2.8 → 0.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cjs/utils.js +17 -7
- package/es/utils.js +16 -6
- package/package.json +2 -2
package/cjs/utils.js
CHANGED
|
@@ -4,7 +4,8 @@ Object.defineProperty(exports, "__esModule", {
|
|
|
4
4
|
value: true
|
|
5
5
|
});
|
|
6
6
|
exports.svgWhiteList = exports.sanitizeSvg = exports.isSvgFile = exports.initSanitize = void 0;
|
|
7
|
-
var
|
|
7
|
+
var _xss = _interopRequireWildcard(require("xss"));
|
|
8
|
+
var xss = _xss;
|
|
8
9
|
var _omit = _interopRequireDefault(require("lodash/omit"));
|
|
9
10
|
var _path = _interopRequireDefault(require("path"));
|
|
10
11
|
function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
|
|
@@ -25,22 +26,32 @@ let defaultOptions = {
|
|
|
25
26
|
return "";
|
|
26
27
|
}
|
|
27
28
|
},
|
|
29
|
+
onTagAttr: (tag, html) => {
|
|
30
|
+
if (tag === "!BACKUP") {
|
|
31
|
+
return html;
|
|
32
|
+
}
|
|
33
|
+
},
|
|
28
34
|
stripIgnoreTagBody: ["script"]
|
|
29
35
|
};
|
|
36
|
+
function advanceProcess(html, options) {
|
|
37
|
+
while (html !== (0, _xss.filterXSS)(html, options)) {
|
|
38
|
+
html = (0, _xss.filterXSS)(html, options);
|
|
39
|
+
}
|
|
40
|
+
return html;
|
|
41
|
+
}
|
|
30
42
|
const initSanitize = (_options = {}) => {
|
|
31
43
|
const options = {
|
|
32
44
|
...defaultOptions,
|
|
33
45
|
..._options
|
|
34
46
|
};
|
|
35
|
-
const xssInstance = new xss.FilterXSS(options);
|
|
36
47
|
const sanitize = data => {
|
|
37
48
|
if (typeof data === "string") {
|
|
38
|
-
return
|
|
49
|
+
return advanceProcess(data, options);
|
|
39
50
|
}
|
|
40
51
|
if (Array.isArray(data)) {
|
|
41
52
|
return data.map(item => {
|
|
42
53
|
if (typeof item === "string") {
|
|
43
|
-
return
|
|
54
|
+
return advanceProcess(item, options);
|
|
44
55
|
}
|
|
45
56
|
if (Array.isArray(item) || typeof item === "object") {
|
|
46
57
|
return sanitize(item);
|
|
@@ -55,7 +66,7 @@ const initSanitize = (_options = {}) => {
|
|
|
55
66
|
}
|
|
56
67
|
const item = data[key];
|
|
57
68
|
if (typeof item === "string") {
|
|
58
|
-
data[key] =
|
|
69
|
+
data[key] = advanceProcess(item, options);
|
|
59
70
|
} else if (Array.isArray(item) || typeof item === "object") {
|
|
60
71
|
data[key] = sanitize(item);
|
|
61
72
|
}
|
|
@@ -157,8 +168,7 @@ const sanitizeSvg = (svgContent, options, svgOptions) => {
|
|
|
157
168
|
if (options?.preserveCase) {
|
|
158
169
|
filterOptions.onTagAttr = preserveAttrCase;
|
|
159
170
|
}
|
|
160
|
-
const
|
|
161
|
-
const processedContent = xssInstance.process(svgContent);
|
|
171
|
+
const processedContent = advanceProcess(svgContent, filterOptions);
|
|
162
172
|
return options?.preserveCase ? preserveTagCase(processedContent) : processedContent;
|
|
163
173
|
};
|
|
164
174
|
exports.sanitizeSvg = sanitizeSvg;
|
package/es/utils.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import * as xss from "xss";
|
|
2
|
+
import { filterXSS } from "xss";
|
|
2
3
|
import omit from "lodash/omit";
|
|
3
4
|
import path from "path";
|
|
4
5
|
const ignoreTagList = [
|
|
@@ -40,22 +41,32 @@ let defaultOptions = {
|
|
|
40
41
|
return "";
|
|
41
42
|
}
|
|
42
43
|
},
|
|
44
|
+
onTagAttr: (tag, html) => {
|
|
45
|
+
if (tag === "!BACKUP") {
|
|
46
|
+
return html;
|
|
47
|
+
}
|
|
48
|
+
},
|
|
43
49
|
stripIgnoreTagBody: ["script"]
|
|
44
50
|
};
|
|
51
|
+
function advanceProcess(html, options) {
|
|
52
|
+
while (html !== filterXSS(html, options)) {
|
|
53
|
+
html = filterXSS(html, options);
|
|
54
|
+
}
|
|
55
|
+
return html;
|
|
56
|
+
}
|
|
45
57
|
export const initSanitize = (_options = {}) => {
|
|
46
58
|
const options = {
|
|
47
59
|
...defaultOptions,
|
|
48
60
|
..._options
|
|
49
61
|
};
|
|
50
|
-
const xssInstance = new xss.FilterXSS(options);
|
|
51
62
|
const sanitize = (data) => {
|
|
52
63
|
if (typeof data === "string") {
|
|
53
|
-
return
|
|
64
|
+
return advanceProcess(data, options);
|
|
54
65
|
}
|
|
55
66
|
if (Array.isArray(data)) {
|
|
56
67
|
return data.map((item) => {
|
|
57
68
|
if (typeof item === "string") {
|
|
58
|
-
return
|
|
69
|
+
return advanceProcess(item, options);
|
|
59
70
|
}
|
|
60
71
|
if (Array.isArray(item) || typeof item === "object") {
|
|
61
72
|
return sanitize(item);
|
|
@@ -70,7 +81,7 @@ export const initSanitize = (_options = {}) => {
|
|
|
70
81
|
}
|
|
71
82
|
const item = data[key];
|
|
72
83
|
if (typeof item === "string") {
|
|
73
|
-
data[key] =
|
|
84
|
+
data[key] = advanceProcess(item, options);
|
|
74
85
|
} else if (Array.isArray(item) || typeof item === "object") {
|
|
75
86
|
data[key] = sanitize(item);
|
|
76
87
|
}
|
|
@@ -170,8 +181,7 @@ export const sanitizeSvg = (svgContent, options, svgOptions) => {
|
|
|
170
181
|
if (options?.preserveCase) {
|
|
171
182
|
filterOptions.onTagAttr = preserveAttrCase;
|
|
172
183
|
}
|
|
173
|
-
const
|
|
174
|
-
const processedContent = xssInstance.process(svgContent);
|
|
184
|
+
const processedContent = advanceProcess(svgContent, filterOptions);
|
|
175
185
|
return options?.preserveCase ? preserveTagCase(processedContent) : processedContent;
|
|
176
186
|
};
|
|
177
187
|
export const isSvgFile = (svgContent, file) => {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blocklet/xss",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.10",
|
|
4
4
|
"description": "blocklet prevent xss attack",
|
|
5
5
|
"publishConfig": {
|
|
6
6
|
"access": "public"
|
|
@@ -49,7 +49,7 @@
|
|
|
49
49
|
"unbuild": "^2.0.0"
|
|
50
50
|
},
|
|
51
51
|
"scripts": {
|
|
52
|
-
"coverage": "
|
|
52
|
+
"coverage": "npm run test -- --coverage",
|
|
53
53
|
"build": "unbuild",
|
|
54
54
|
"build:watch": "npx nodemon --ext 'ts,tsx,json,js,jsx' --exec 'pnpm run build' --ignore 'lib/*' --ignore 'es/*' ",
|
|
55
55
|
"dev": "pnpm run build:watch",
|