@ecency/render-helper 2.3.8 → 2.3.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/consts/allowed-attributes.const.js +11 -10
- package/lib/consts/allowed-attributes.const.js.map +1 -1
- package/lib/consts/regexes.const.d.ts +1 -0
- package/lib/consts/regexes.const.js +2 -1
- package/lib/consts/regexes.const.js.map +1 -1
- package/lib/methods/a.method.js +4 -0
- package/lib/methods/a.method.js.map +1 -1
- package/lib/methods/sanitize-html.method.js +4 -0
- package/lib/methods/sanitize-html.method.js.map +1 -1
- package/lib/render-helper.js +1 -1
- package/package.json +1 -1
- package/src/consts/allowed-attributes.const.ts +11 -10
- package/src/consts/regexes.const.ts +2 -0
- package/src/markdown-2-html.spec.ts +2 -2
- package/src/methods/a.method.ts +4 -0
- package/src/methods/sanitize-html.method.ts +4 -2
package/package.json
CHANGED
|
@@ -19,7 +19,8 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
|
|
|
19
19
|
'data-is-inline',
|
|
20
20
|
'class',
|
|
21
21
|
'title',
|
|
22
|
-
'data-id'
|
|
22
|
+
'data-id',
|
|
23
|
+
'id'
|
|
23
24
|
],
|
|
24
25
|
'img': [
|
|
25
26
|
'src',
|
|
@@ -30,9 +31,9 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
|
|
|
30
31
|
'decoding',
|
|
31
32
|
'itemprop'
|
|
32
33
|
],
|
|
33
|
-
'span': ['class'],
|
|
34
|
+
'span': ['class', 'id'],
|
|
34
35
|
'iframe': ['src', 'class', 'frameborder', 'allowfullscreen', 'webkitallowfullscreen', 'mozallowfullscreen', 'sandbox'],
|
|
35
|
-
'div': ['class'],
|
|
36
|
+
'div': ['class', 'id'],
|
|
36
37
|
'strong': [],
|
|
37
38
|
'b': [],
|
|
38
39
|
'i': [],
|
|
@@ -43,13 +44,13 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
|
|
|
43
44
|
'blockquote': ['class'],
|
|
44
45
|
'sup': [],
|
|
45
46
|
'sub': [],
|
|
46
|
-
'h1': ['dir'],
|
|
47
|
-
'h2': ['dir'],
|
|
48
|
-
'h3': ['dir'],
|
|
49
|
-
'h4': ['dir'],
|
|
50
|
-
'h5': ['dir'],
|
|
51
|
-
'h6': ['dir'],
|
|
52
|
-
'p': ['dir'],
|
|
47
|
+
'h1': ['dir', 'id'],
|
|
48
|
+
'h2': ['dir', 'id'],
|
|
49
|
+
'h3': ['dir', 'id'],
|
|
50
|
+
'h4': ['dir', 'id'],
|
|
51
|
+
'h5': ['dir', 'id'],
|
|
52
|
+
'h6': ['dir', 'id'],
|
|
53
|
+
'p': ['dir', 'id'],
|
|
53
54
|
'center': [],
|
|
54
55
|
'ul': [],
|
|
55
56
|
'ol': [],
|
|
@@ -42,3 +42,5 @@ export const LOOM_EMBED_REGEX = /^(https?:)?\/\/www.loom.com\/embed\/(.*)/i
|
|
|
42
42
|
export const AUREAL_EMBED_REGEX = /^(https?:\/\/)?(www\.)?(?:aureal-embed)\.web\.app\/([0-9]+)/i
|
|
43
43
|
export const ENTITY_REGEX = /&([a-z0-9]+|#[0-9]{1,6}|#x[0-9a-fA-F]{1,6});/ig
|
|
44
44
|
export const SECTION_REGEX = /\B(\#[\da-zA-Z-_]+\b)(?!;)/i
|
|
45
|
+
export const ID_WHITELIST = /^[A-Za-z][-A-Za-z0-9_]*$/
|
|
46
|
+
|
|
@@ -946,7 +946,7 @@ describe('Markdown2Html', () => {
|
|
|
946
946
|
last_update: '2019-05-10T09:15:21',
|
|
947
947
|
body: 'this is link https://inleo.io/@godfish/close-range-reflections'
|
|
948
948
|
}
|
|
949
|
-
const expected = '<p dir=\"auto\">this is link <a href="/post/@godfish/close-range-reflections" class="markdown-post-link">@godfish/close-range-reflections</a></p>'
|
|
949
|
+
const expected = '<p dir=\"auto\">this is link <a href="/post/@godfish/close-range-reflections" class="markdown-post-link" data-is-inline="false">@godfish/close-range-reflections</a></p>'
|
|
950
950
|
|
|
951
951
|
expect(markdown2Html(input, false)).toBe(expected)
|
|
952
952
|
})
|
|
@@ -1161,7 +1161,7 @@ describe('Markdown2Html', () => {
|
|
|
1161
1161
|
last_update: '2019-05-10T09:15:21',
|
|
1162
1162
|
body: 'https://img.esteem.ws/bbq3ob1idy.png <a href="https://steemit.com/esteem/@esteemapp/esteem-monthly-guest-curation-program-4">fooo</a> <a href="/esteem/@esteemapp/esteem-monthly-guest-curation-program-4">bar</a> <a href="http://external.com/loromoro">baz</a> #lorem @ipsum <a href=\'https://steemit.com/~witnesses\'>vote me</a>'
|
|
1163
1163
|
}
|
|
1164
|
-
const expected = '<p dir=\"auto\"><img class="markdown-img-link" src="https://images.ecency.com/p/o1AJ9qDyyJNSpZWhUgGYc3MngFqoAMwgbeMkkd8SVxyfRVjiN.png?format=match&mode=fit" loading="lazy" decoding="async" itemprop="image" /> <a href="https://steemit.com/esteem/@esteemapp/esteem-monthly-guest-curation-program-4" class="markdown-external-link" target="_blank" rel="noopener">fooo</a> <a href="/esteem/@esteemapp/esteem-monthly-guest-curation-program-4" class="markdown-post-link">bar</a> <a href="http://external.com/loromoro" class="markdown-external-link" target="_blank" rel="noopener">baz</a><span> <a class="markdown-tag-link" href="/trending/lorem">#lorem</a> <a class="markdown-author-link" href="/@ipsum">@ipsum</a> </span><a href="https://steemit.com/~witnesses" class="markdown-external-link" target="_blank" rel="noopener">vote me</a></p>'
|
|
1164
|
+
const expected = '<p dir=\"auto\"><img class="markdown-img-link" src="https://images.ecency.com/p/o1AJ9qDyyJNSpZWhUgGYc3MngFqoAMwgbeMkkd8SVxyfRVjiN.png?format=match&mode=fit" loading="lazy" decoding="async" itemprop="image" /> <a href="https://steemit.com/esteem/@esteemapp/esteem-monthly-guest-curation-program-4" class="markdown-external-link" target="_blank" rel="noopener">fooo</a> <a href="/esteem/@esteemapp/esteem-monthly-guest-curation-program-4" class="markdown-post-link" data-is-inline="true">bar</a> <a href="http://external.com/loromoro" class="markdown-external-link" target="_blank" rel="noopener">baz</a><span> <a class="markdown-tag-link" href="/trending/lorem">#lorem</a> <a class="markdown-author-link" href="/@ipsum">@ipsum</a> </span><a href="https://steemit.com/~witnesses" class="markdown-external-link" target="_blank" rel="noopener">vote me</a></p>'
|
|
1165
1165
|
|
|
1166
1166
|
expect(markdown2Html(input, false)).toBe(expected)
|
|
1167
1167
|
})
|
package/src/methods/a.method.ts
CHANGED
|
@@ -121,6 +121,7 @@ export function a(el: HTMLElement, forApp: boolean, webp: boolean): void {
|
|
|
121
121
|
} else {
|
|
122
122
|
const h = `/${tag}/@${author}/${permlink}`
|
|
123
123
|
el.setAttribute('href', h)
|
|
124
|
+
el.setAttribute('data-is-inline', '' + isInline)
|
|
124
125
|
}
|
|
125
126
|
return
|
|
126
127
|
}
|
|
@@ -208,6 +209,7 @@ export function a(el: HTMLElement, forApp: boolean, webp: boolean): void {
|
|
|
208
209
|
} else {
|
|
209
210
|
const h = `/${tag}/@${author}/${permlink}`
|
|
210
211
|
el.setAttribute('href', h)
|
|
212
|
+
el.setAttribute('data-is-inline', '' + isInline)
|
|
211
213
|
}
|
|
212
214
|
|
|
213
215
|
return
|
|
@@ -286,6 +288,7 @@ export function a(el: HTMLElement, forApp: boolean, webp: boolean): void {
|
|
|
286
288
|
} else {
|
|
287
289
|
const h = `/${tag}/@${author}/${permlink}`
|
|
288
290
|
el.setAttribute('href', h)
|
|
291
|
+
el.setAttribute('data-is-inline', '' + isInline)
|
|
289
292
|
}
|
|
290
293
|
|
|
291
294
|
return
|
|
@@ -391,6 +394,7 @@ export function a(el: HTMLElement, forApp: boolean, webp: boolean): void {
|
|
|
391
394
|
} else {
|
|
392
395
|
const h = `/${tag}/@${author}/${permlink}`
|
|
393
396
|
el.setAttribute('href', h)
|
|
397
|
+
el.setAttribute('data-is-inline', '' + isInline)
|
|
394
398
|
}
|
|
395
399
|
return
|
|
396
400
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import xss from 'xss'
|
|
2
|
-
import {
|
|
2
|
+
import {ALLOWED_ATTRIBUTES, ID_WHITELIST} from '../consts'
|
|
3
3
|
|
|
4
4
|
const decodeEntities = (input: string): string =>
|
|
5
5
|
input
|
|
@@ -19,7 +19,9 @@ export function sanitizeHtml(html: string): string {
|
|
|
19
19
|
if (tag === 'img' && name === 'src' && (!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:'))) return '';
|
|
20
20
|
if (tag === 'img' && ['dynsrc', 'lowsrc'].includes(name)) return '';
|
|
21
21
|
if (tag === 'span' && name === 'class' && value === 'wr') return '';
|
|
22
|
-
|
|
22
|
+
if (name === 'id') {
|
|
23
|
+
if (!ID_WHITELIST.test(decoded)) return '';
|
|
24
|
+
}
|
|
23
25
|
return undefined;
|
|
24
26
|
}
|
|
25
27
|
});
|