@ecency/render-helper 2.3.12 → 2.3.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/lib/consts/allowed-attributes.const.js +1 -0
  2. package/lib/consts/allowed-attributes.const.js.map +1 -1
  3. package/lib/methods/sanitize-html.method.js +3 -0
  4. package/lib/methods/sanitize-html.method.js.map +1 -1
  5. package/lib/render-helper.js +1 -1
  6. package/lib/types/xss-white-list.interface.d.ts +1 -0
  7. package/package.json +1 -1
  8. package/src/consts/allowed-attributes.const.ts +1 -0
  9. package/src/methods/sanitize-html.method.ts +4 -0
  10. package/src/sanitize-html.spec.ts +15 -0
  11. package/src/types/xss-white-list.interface.ts +1 -0
package/lib/types/xss-white-list.interface.d.ts CHANGED
@@ -2,4 +2,5 @@ import { IWhiteList } from 'xss';
2
2
  export interface XSSWhiteList extends IWhiteList {
3
3
  iframe?: string[];
4
4
  strike?: string[];
5
+ video?: string[];
5
6
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ecency/render-helper",
3
- "version": "2.3.12",
3
+ "version": "2.3.13",
4
4
  "description": "Markdown+Html Render helper",
5
5
  "main": "lib/index.js",
6
6
  "types": "lib/index.d.ts",
package/src/consts/allowed-attributes.const.ts CHANGED
@@ -33,6 +33,7 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
33
33
  ],
34
34
  'span': ['class', 'id'],
35
35
  'iframe': ['src', 'class', 'frameborder', 'allowfullscreen', 'webkitallowfullscreen', 'mozallowfullscreen', 'sandbox'],
36
+ 'video': ['src', 'controls', 'poster'],
36
37
  'div': ['class', 'id'],
37
38
  'strong': [],
38
39
  'b': [],
package/src/methods/sanitize-html.method.ts CHANGED
@@ -17,6 +17,10 @@ export function sanitizeHtml(html: string): string {
17
17
 
18
18
  if (name.startsWith('on')) return ''; // 🛡 event handlers
19
19
  if (tag === 'img' && name === 'src' && (!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:'))) return '';
20
+ if (
21
+ tag === 'video' && ['src', 'poster'].includes(name) &&
22
+ (!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:'))
23
+ ) return '';
20
24
  if (tag === 'img' && ['dynsrc', 'lowsrc'].includes(name)) return '';
21
25
  if (tag === 'span' && name === 'class' && value === 'wr') return '';
22
26
  if (name === 'id') {
package/src/sanitize-html.spec.ts ADDED
@@ -0,0 +1,15 @@
1
+ import { sanitizeHtml } from './methods/sanitize-html.method'
2
+
3
+ describe('sanitizeHtml', () => {
4
+ it('1- should allow video tag with src and controls', () => {
5
+ const input = '<video src="https://example.com/video.mp4" controls></video>'
6
+ const expected = '<video src="https://example.com/video.mp4" controls></video>'
7
+ expect(sanitizeHtml(input)).toBe(expected)
8
+ })
9
+
10
+ it('2- should strip dangerous video src', () => {
11
+ const input = "<video src=\"javascript:alert('XSS')\" controls></video>"
12
+ const expected = '<video controls></video>'
13
+ expect(sanitizeHtml(input)).toBe(expected)
14
+ })
15
+ })
package/src/types/xss-white-list.interface.ts CHANGED
@@ -3,4 +3,5 @@ import { IWhiteList } from 'xss'
3
3
  export interface XSSWhiteList extends IWhiteList {
4
4
  iframe?: string[]
5
5
  strike?: string[]
6
+ video?: string[]
6
7
  }