@ecency/render-helper 2.3.12 → 2.3.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/consts/allowed-attributes.const.js +10 -9
- package/lib/consts/allowed-attributes.const.js.map +1 -1
- package/lib/methods/sanitize-html.method.js +3 -0
- package/lib/methods/sanitize-html.method.js.map +1 -1
- package/lib/render-helper.js +1 -1
- package/lib/types/xss-white-list.interface.d.ts +1 -0
- package/package.json +1 -1
- package/src/consts/allowed-attributes.const.ts +10 -9
- package/src/methods/sanitize-html.method.ts +4 -0
- package/src/sanitize-html.spec.ts +15 -0
- package/src/types/xss-white-list.interface.ts +1 -0
|
@@ -32,9 +32,10 @@ exports.ALLOWED_ATTRIBUTES = {
|
|
|
32
32
|
'decoding',
|
|
33
33
|
'itemprop'
|
|
34
34
|
],
|
|
35
|
-
'span': ['class', 'id'],
|
|
35
|
+
'span': ['class', 'id', 'data-align'],
|
|
36
36
|
'iframe': ['src', 'class', 'frameborder', 'allowfullscreen', 'webkitallowfullscreen', 'mozallowfullscreen', 'sandbox'],
|
|
37
|
-
'
|
|
37
|
+
'video': ['src', 'controls', 'poster'],
|
|
38
|
+
'div': ['class', 'id', 'data-align'],
|
|
38
39
|
'strong': [],
|
|
39
40
|
'b': [],
|
|
40
41
|
'i': [],
|
|
@@ -45,13 +46,13 @@ exports.ALLOWED_ATTRIBUTES = {
|
|
|
45
46
|
'blockquote': ['class'],
|
|
46
47
|
'sup': [],
|
|
47
48
|
'sub': [],
|
|
48
|
-
'h1': ['dir', 'id'],
|
|
49
|
-
'h2': ['dir', 'id'],
|
|
50
|
-
'h3': ['dir', 'id'],
|
|
51
|
-
'h4': ['dir', 'id'],
|
|
52
|
-
'h5': ['dir', 'id'],
|
|
53
|
-
'h6': ['dir', 'id'],
|
|
54
|
-
'p': ['dir', 'id'],
|
|
49
|
+
'h1': ['dir', 'id', 'data-align'],
|
|
50
|
+
'h2': ['dir', 'id', 'data-align'],
|
|
51
|
+
'h3': ['dir', 'id', 'data-align'],
|
|
52
|
+
'h4': ['dir', 'id', 'data-align'],
|
|
53
|
+
'h5': ['dir', 'id', 'data-align'],
|
|
54
|
+
'h6': ['dir', 'id', 'data-align'],
|
|
55
|
+
'p': ['dir', 'id', 'data-align'],
|
|
55
56
|
'center': [],
|
|
56
57
|
'ul': [],
|
|
57
58
|
'ol': [],
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"allowed-attributes.const.js","sourceRoot":"","sources":["../../src/consts/allowed-attributes.const.ts"],"names":[],"mappings":";;;AAEa,QAAA,kBAAkB,GAAiB;IAC9C,GAAG,EAAE;QACH,MAAM;QACN,QAAQ;QACR,KAAK;QACL,eAAe;QACf,UAAU;QACV,aAAa;QACb,WAAW;QACX,gBAAgB;QAChB,aAAa;QACb,gBAAgB;QAChB,cAAc;QACd,iBAAiB;QACjB,iBAAiB;QACjB,eAAe;QACf,gBAAgB;QAChB,OAAO;QACP,OAAO;QACP,SAAS;QACT,IAAI;KACL;IACD,KAAK,EAAE;QACL,KAAK;QACL,KAAK;QACL,OAAO;QACP,SAAS;QACT,eAAe;QACf,UAAU;QACV,UAAU;KACX;IACD,MAAM,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"allowed-attributes.const.js","sourceRoot":"","sources":["../../src/consts/allowed-attributes.const.ts"],"names":[],"mappings":";;;AAEa,QAAA,kBAAkB,GAAiB;IAC9C,GAAG,EAAE;QACH,MAAM;QACN,QAAQ;QACR,KAAK;QACL,eAAe;QACf,UAAU;QACV,aAAa;QACb,WAAW;QACX,gBAAgB;QAChB,aAAa;QACb,gBAAgB;QAChB,cAAc;QACd,iBAAiB;QACjB,iBAAiB;QACjB,eAAe;QACf,gBAAgB;QAChB,OAAO;QACP,OAAO;QACP,SAAS;QACT,IAAI;KACL;IACD,KAAK,EAAE;QACL,KAAK;QACL,KAAK;QACL,OAAO;QACP,SAAS;QACT,eAAe;QACf,UAAU;QACV,UAAU;KACX;IACD,MAAM,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC;IACrC,QAAQ,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,SAAS,CAAC;IACtH,OAAO,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC;IACtC,KAAK,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC;IACpC,QAAQ,EAAE,EAAE;IACZ,GAAG,EAAE,EAAE;IACP,GAAG,EAAE,EAAE;IACP,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,KAAK,EAAE,EAAE;IACT,YAAY,EAAE,CAAC,OAAO,CAAC;IACvB,KAAK,EAAE,EAAE;IACT,KAAK,EAAE,EAAE;IACT,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,IAAI,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IACjC,GAAG,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,YAAY,CAAC;IAChC,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,KAAK,EAAE,EAAE;IACT,KAAK,EAAE,EAAE;CACV,CAAA"}
|
|
@@ -23,6 +23,9 @@ function sanitizeHtml(html) {
|
|
|
23
23
|
return ''; // 🛡 event handlers
|
|
24
24
|
if (tag === 'img' && name === 'src' && (!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:')))
|
|
25
25
|
return '';
|
|
26
|
+
if (tag === 'video' && ['src', 'poster'].includes(name) &&
|
|
27
|
+
(!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:')))
|
|
28
|
+
return '';
|
|
26
29
|
if (tag === 'img' && ['dynsrc', 'lowsrc'].includes(name))
|
|
27
30
|
return '';
|
|
28
31
|
if (tag === 'span' && name === 'class' && value === 'wr')
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize-html.method.js","sourceRoot":"","sources":["../../src/methods/sanitize-html.method.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAqB;AACrB,oCAA0D;AAE1D,IAAM,cAAc,GAAG,UAAC,KAAa;IACnC,OAAA,KAAK;SACF,OAAO,CAAC,YAAY,EAAE,UAAC,CAAC,EAAE,GAAG,IAAK,OAAA,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,EAAxB,CAAwB,CAAC;SAC3D,OAAO,CAAC,oBAAoB,EAAE,UAAC,CAAC,EAAE,GAAG,IAAK,OAAA,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAtC,CAAsC,CAAC;AAFpF,CAEoF,CAAC;AAEvF,SAAgB,YAAY,CAAC,IAAY;IACvC,OAAO,IAAA,aAAG,EAAC,IAAI,EAAE;QACf,SAAS,EAAE,2BAAkB;QAC7B,cAAc,EAAE,IAAI;QACpB,kBAAkB,EAAE,CAAC,OAAO,CAAC;QAC7B,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,UAAC,GAAG,EAAE,IAAI,EAAE,KAAK;YAC1B,IAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YAE3D,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC,CAAC,oBAAoB;YAC1D,IAAI,GAAG,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;gBAAE,OAAO,EAAE,CAAC;YACvH,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YACpE,IAAI,GAAG,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,EAAE,CAAC;YACpE,IAAI,IAAI,KAAK,IAAI,EAAE;gBACjB,IAAI,CAAC,qBAAY,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,OAAO,EAAE,CAAC;aAC5C;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;AACL,CAAC;
|
|
1
|
+
{"version":3,"file":"sanitize-html.method.js","sourceRoot":"","sources":["../../src/methods/sanitize-html.method.ts"],"names":[],"mappings":";;;;;;AAAA,4CAAqB;AACrB,oCAA0D;AAE1D,IAAM,cAAc,GAAG,UAAC,KAAa;IACnC,OAAA,KAAK;SACF,OAAO,CAAC,YAAY,EAAE,UAAC,CAAC,EAAE,GAAG,IAAK,OAAA,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,EAAxB,CAAwB,CAAC;SAC3D,OAAO,CAAC,oBAAoB,EAAE,UAAC,CAAC,EAAE,GAAG,IAAK,OAAA,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAtC,CAAsC,CAAC;AAFpF,CAEoF,CAAC;AAEvF,SAAgB,YAAY,CAAC,IAAY;IACvC,OAAO,IAAA,aAAG,EAAC,IAAI,EAAE;QACf,SAAS,EAAE,2BAAkB;QAC7B,cAAc,EAAE,IAAI;QACpB,kBAAkB,EAAE,CAAC,OAAO,CAAC;QAC7B,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,UAAC,GAAG,EAAE,IAAI,EAAE,KAAK;YAC1B,IAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YAE3D,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC,CAAC,oBAAoB;YAC1D,IAAI,GAAG,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;gBAAE,OAAO,EAAE,CAAC;YACvH,IACE,GAAG,KAAK,OAAO,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACnD,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;gBACpE,OAAO,EAAE,CAAC;YACZ,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAAE,OAAO,EAAE,CAAC;YACpE,IAAI,GAAG,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,EAAE,CAAC;YACpE,IAAI,IAAI,KAAK,IAAI,EAAE;gBACjB,IAAI,CAAC,qBAAY,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,OAAO,EAAE,CAAC;aAC5C;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAvBD,oCAuBC"}
|