@chat21/chat21-ionic 3.4.24 → 3.4.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +3 -0
- package/package.json +1 -1
- package/src/app/directives/marked.pipe.ts +66 -6
package/CHANGELOG.md
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { Pipe, PipeTransform } from '@angular/core';
|
|
2
2
|
import { marked } from 'marked';
|
|
3
3
|
|
|
4
|
+
|
|
4
5
|
@Pipe({
|
|
5
6
|
name: 'marked'
|
|
6
7
|
})
|
|
@@ -8,19 +9,78 @@ import { marked } from 'marked';
|
|
|
8
9
|
export class MarkedPipe implements PipeTransform {
|
|
9
10
|
transform(value: any): any {
|
|
10
11
|
const renderer = new marked.Renderer();
|
|
11
|
-
renderer.link = function(href, title, text) {
|
|
12
|
-
|
|
13
|
-
|
|
12
|
+
renderer.link = function (href, title, text) {
|
|
13
|
+
// Normalizza l'href per evitare falsi negativi
|
|
14
|
+
const normalized = (href || '').trim().toLowerCase();
|
|
15
|
+
// Pattern pericolosi da cercare nell'intero URL (non solo all'inizio)
|
|
16
|
+
const dangerousPatterns = [
|
|
17
|
+
/javascript:/i, // javascript: protocol
|
|
18
|
+
/data:/i, // data: protocol
|
|
19
|
+
/vbscript:/i, // vbscript: protocol
|
|
20
|
+
/on\w+\s*=/i, // event handlers (onclick, onload, etc.)
|
|
21
|
+
/alert\s*\(/i, // alert() function
|
|
22
|
+
/eval\s*\(/i, // eval() function
|
|
23
|
+
/document\./i, // document object access
|
|
24
|
+
/window\./i, // window object access
|
|
25
|
+
/\.appendChild\s*\(/i, // DOM manipulation
|
|
26
|
+
/\.createElement\s*\(/i, // DOM creation
|
|
27
|
+
/<script/i, // script tags
|
|
28
|
+
/<\/script>/i, // closing script tags
|
|
29
|
+
/function\s*\(/i, // function definitions
|
|
30
|
+
/\(function/i, // IIFE patterns
|
|
31
|
+
/setTimeout\s*\(/i, // setTimeout
|
|
32
|
+
/setInterval\s*\(/i, // setInterval
|
|
33
|
+
/location\./i, // location object manipulation
|
|
34
|
+
/history\./i, // history object manipulation
|
|
35
|
+
/localStorage\./i, // localStorage access
|
|
36
|
+
/sessionStorage\./i, // sessionStorage access
|
|
37
|
+
/cookie/i, // cookie manipulation
|
|
38
|
+
/fetch\s*\(/i, // fetch API
|
|
39
|
+
/XMLHttpRequest/i, // XHR
|
|
40
|
+
/FormData/i, // FormData
|
|
41
|
+
/Blob\s*\(/i, // Blob constructor
|
|
42
|
+
/FileReader/i, // FileReader
|
|
43
|
+
/crypto\./i, // crypto object
|
|
44
|
+
/btoa\s*\(/i, // base64 encoding
|
|
45
|
+
/atob\s*\(/i, // base64 decoding
|
|
46
|
+
/decodeURI/i, // URI decoding
|
|
47
|
+
/encodeURI/i, // URI encoding
|
|
48
|
+
/String\.fromCharCode/i, // character code conversion
|
|
49
|
+
/unescape\s*\(/i, // unescape function
|
|
50
|
+
/escape\s*\(/i // escape function
|
|
51
|
+
];
|
|
52
|
+
|
|
53
|
+
// Controlla se l'URL contiene pattern pericolosi
|
|
54
|
+
const isDangerous = dangerousPatterns.some(p => p.test(normalized));
|
|
55
|
+
if (isDangerous) {
|
|
56
|
+
// Se l’URL è pericoloso, restituisci solo il testo
|
|
57
|
+
return text || href || '';
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
// tokens = this.cleanInput(href);
|
|
61
|
+
|
|
62
|
+
if (!href) return text;
|
|
63
|
+
|
|
64
|
+
return `<a href="${href}" target="_blank" rel="noopener noreferrer">${text}</a>`;
|
|
14
65
|
};
|
|
66
|
+
|
|
15
67
|
marked.setOptions({
|
|
16
|
-
|
|
68
|
+
renderer,
|
|
69
|
+
gfm: true,
|
|
70
|
+
breaks: true
|
|
17
71
|
});
|
|
72
|
+
|
|
18
73
|
if (value && value.length > 0) {
|
|
19
|
-
|
|
20
|
-
|
|
74
|
+
try {
|
|
75
|
+
return marked.parse(value);
|
|
76
|
+
} catch (err) {
|
|
77
|
+
console.error('Errore nel parsing markdown:', err);
|
|
78
|
+
return value;
|
|
79
|
+
}
|
|
21
80
|
}
|
|
22
81
|
return value;
|
|
23
82
|
}
|
|
24
83
|
|
|
25
84
|
|
|
85
|
+
|
|
26
86
|
}
|