@ecency/render-helper 2.3.0 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/lib/methods/clean-reply.method.js +2 -1
  2. package/lib/methods/clean-reply.method.js.map +1 -1
  3. package/lib/methods/img.method.js +2 -4
  4. package/lib/methods/img.method.js.map +1 -1
  5. package/lib/render-helper.js +1 -1
  6. package/package.json +1 -1
  7. package/src/methods/clean-reply.method.ts +1 -0
  8. package/src/methods/img.method.ts +3 -5
  9. package/src/test/data/legacy/10.json +1 -1
  10. package/src/test/data/legacy/21.json +1 -1
  11. package/src/test/data/legacy/22.json +1 -1
  12. package/src/test/data/legacy/23.json +1 -1
  13. package/src/test/data/legacy/26.json +1 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ecency/render-helper",
3
- "version": "2.3.0",
3
+ "version": "2.3.2",
4
4
  "description": "Markdown+Html Render helper",
5
5
  "main": "lib/index.js",
6
6
  "types": "lib/index.d.ts",
package/src/methods/clean-reply.method.ts CHANGED
@@ -28,4 +28,5 @@ export function cleanReply(s: string): string {
28
28
  .replace('Posted via <a href="https://d.buzz" data-link="promote-link">D.Buzz</a>', '')
29
29
  .replace('<div class="pull-right"><a href="/@hive.engage">![](https://i.imgur.com/XsrNmcl.png)</a></div>', '')
30
30
  .replace('<div><a href="https://engage.hivechain.app">![](https://i.imgur.com/XsrNmcl.png)</a></div>', '')
31
+ .replace(`<div class="text-center"><img src="https://cdn.steemitimages.com/DQmNp6YwAm2qwquALZw8PdcovDorwaBSFuxQ38TrYziGT6b/A-20.png"><a href="https://bit.ly/actifit-app"><img src="https://cdn.steemitimages.com/DQmQqfpSmcQtfrHAtzfBtVccXwUL9vKNgZJ2j93m8WNjizw/l5.png"></a><a href="https://bit.ly/actifit-ios"><img src="https://cdn.steemitimages.com/DQmbWy8KzKT1UvCvznUTaFPw6wBUcyLtBT5XL9wdbB7Hfmn/l6.png"></a></div>`, '')
31
32
  }
package/src/methods/img.method.ts CHANGED
@@ -4,7 +4,7 @@ export function img(el: HTMLElement, webp: boolean): void {
4
4
  el.removeAttribute("width");
5
5
  el.removeAttribute("height");
6
6
 
7
- const src = el.getAttribute("src") || "";
7
+ let src = el.getAttribute("src") || "";
8
8
 
9
9
  // Normalize encoded characters
10
10
  const decodedSrc = decodeURIComponent(
@@ -15,16 +15,14 @@ export function img(el: HTMLElement, webp: boolean): void {
15
15
  // ❌ Remove if javascript or empty/invalid
16
16
  const isInvalid = !src || decodedSrc.startsWith("javascript") || decodedSrc.startsWith("vbscript") || decodedSrc === "x";
17
17
  if (isInvalid) {
18
- el.remove();
19
- return;
18
+ src = ""
20
19
  }
21
20
 
22
21
  // ❌ Skip relative paths (e.g., `photo.jpg`)
23
22
  const isRelative = !/^https?:\/\//i.test(src) && !src.startsWith("/");
24
23
  if (isRelative) {
25
24
  console.warn("Skipped relative image:", src);
26
- el.remove();
27
- return;
25
+ src = ""
28
26
  }
29
27
 
30
28
  // Sanitize any dynamic or low-res src-like attributes
package/src/test/data/legacy/10.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
2
  "id": 10,
3
3
  "input": "Lorem ipsum dolor <img src=x onerror=alert(x)> sit amet.\n\n<a href=\"javascript:void(0)\">etiam ut sollicitudin neque</a>\n\n<a onclick=\"console.log('ss')\">Vivamus pulvinar semper porttitor</a>",
4
- "result": ""
4
+ "result": "<p dir=\"auto\">Lorem ipsum dolor <img /> sit amet.</p>\n<p dir=\"auto\"><a>etiam ut sollicitudin neque</a></p>\n<p dir=\"auto\"><a>Vivamus pulvinar semper porttitor</a></p>"
5
5
  }
package/src/test/data/legacy/21.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
2
  "id": 21,
3
3
  "input": "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>\n\n<IMG SRC=\"javascript:alert('XSS');\"><img src=\"javascript:alert('XSS');\">\n\n<IMG SRC=javascript:alert('XSS')> <img src=javascript:alert('XSS')>",
4
- "result": ""
4
+ "result": "<p dir=\"auto\">javascript:/<em>--&gt;&lt;svg/onload='+/\"/+/onmouseover=1/+/[</em>/[]/+alert(1)//'&gt;</p>\n<p dir=\"auto\"><img /><img /></p>\n<p dir=\"auto\">&lt;IMG SRC=javascript:alert('XSS')&gt; &lt;img src=javascript:alert('XSS')&gt;</p>"
5
5
  }
package/src/test/data/legacy/22.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
2
  "id": 22,
3
3
  "input": "<IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)>\n<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>\n<a onmouseover=\"alert(document.cookie)\">xxs link</a><a onmouseover=alert(document.cookie)>xxs link</a>\n<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"><IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>\n <IMG SRC= onmouseover=\"alert('xxs')\">",
4
- "result": ""
4
+ "result": "<p dir=\"auto\">&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;IMG SRC=javascript:alert(&quot;XSS&quot;)&gt;<br />\n&lt;IMG SRC=<code>javascript:alert(\"RSnake says, 'XSS'\")</code>&gt;<br />\n<a>xxs link</a><a>xxs link</a><br />\n&lt;IMG \"\"\"&gt;alert(&quot;XSS&quot;)\"&gt;<img /><br />\n&lt;IMG SRC= onmouseover=\"alert('xxs')\"&gt;</p>"
5
5
  }
package/src/test/data/legacy/23.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
2
  "id": 23,
3
3
  "input": "<IMG SRC=/ onerror=\"alert(String.fromCharCode(88,83,83))\"></img> <img src=x onerror=\"&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041\"> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC=\" &#14; javascript:alert('XSS');\">",
4
- "result": ""
4
+ "result": "<p dir=\"auto\">&lt;IMG SRC=/ onerror=\"alert(String.fromCharCode(88,83,83))\"&gt; <img /> &lt;IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;&gt; <img /> <img /></p>"
5
5
  }
package/src/test/data/legacy/26.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
2
  "id": 26,
3
3
  "input": "<IMG DYNSRC=\"javascript:alert('XSS')\"> <IMG LOWSRC=\"javascript:alert('XSS')\"> <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE>",
4
- "result": ""
4
+ "result": "<p dir=\"auto\"><img /> <img /> </p>"
5
5
  }