@ecency/render-helper 2.3.8 → 2.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/lib/consts/allowed-attributes.const.js +11 -10
  2. package/lib/consts/allowed-attributes.const.js.map +1 -1
  3. package/lib/consts/regexes.const.d.ts +1 -0
  4. package/lib/consts/regexes.const.js +2 -1
  5. package/lib/consts/regexes.const.js.map +1 -1
  6. package/lib/methods/sanitize-html.method.js +4 -0
  7. package/lib/methods/sanitize-html.method.js.map +1 -1
  8. package/lib/render-helper.js +1 -1
  9. package/package.json +1 -1
  10. package/src/consts/allowed-attributes.const.ts +11 -10
  11. package/src/consts/regexes.const.ts +2 -0
  12. package/src/methods/sanitize-html.method.ts +4 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ecency/render-helper",
3
- "version": "2.3.8",
3
+ "version": "2.3.9",
4
4
  "description": "Markdown+Html Render helper",
5
5
  "main": "lib/index.js",
6
6
  "types": "lib/index.d.ts",
package/src/consts/allowed-attributes.const.ts CHANGED
@@ -19,7 +19,8 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
19
19
  'data-is-inline',
20
20
  'class',
21
21
  'title',
22
- 'data-id'
22
+ 'data-id',
23
+ 'id'
23
24
  ],
24
25
  'img': [
25
26
  'src',
@@ -30,9 +31,9 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
30
31
  'decoding',
31
32
  'itemprop'
32
33
  ],
33
- 'span': ['class'],
34
+ 'span': ['class', 'id'],
34
35
  'iframe': ['src', 'class', 'frameborder', 'allowfullscreen', 'webkitallowfullscreen', 'mozallowfullscreen', 'sandbox'],
35
- 'div': ['class'],
36
+ 'div': ['class', 'id'],
36
37
  'strong': [],
37
38
  'b': [],
38
39
  'i': [],
@@ -43,13 +44,13 @@ export const ALLOWED_ATTRIBUTES: XSSWhiteList = {
43
44
  'blockquote': ['class'],
44
45
  'sup': [],
45
46
  'sub': [],
46
- 'h1': ['dir'],
47
- 'h2': ['dir'],
48
- 'h3': ['dir'],
49
- 'h4': ['dir'],
50
- 'h5': ['dir'],
51
- 'h6': ['dir'],
52
- 'p': ['dir'],
47
+ 'h1': ['dir', 'id'],
48
+ 'h2': ['dir', 'id'],
49
+ 'h3': ['dir', 'id'],
50
+ 'h4': ['dir', 'id'],
51
+ 'h5': ['dir', 'id'],
52
+ 'h6': ['dir', 'id'],
53
+ 'p': ['dir', 'id'],
53
54
  'center': [],
54
55
  'ul': [],
55
56
  'ol': [],
package/src/consts/regexes.const.ts CHANGED
@@ -42,3 +42,5 @@ export const LOOM_EMBED_REGEX = /^(https?:)?\/\/www.loom.com\/embed\/(.*)/i
42
42
  export const AUREAL_EMBED_REGEX = /^(https?:\/\/)?(www\.)?(?:aureal-embed)\.web\.app\/([0-9]+)/i
43
43
  export const ENTITY_REGEX = /&([a-z0-9]+|#[0-9]{1,6}|#x[0-9a-fA-F]{1,6});/ig
44
44
  export const SECTION_REGEX = /\B(\#[\da-zA-Z-_]+\b)(?!;)/i
45
+ export const ID_WHITELIST = /^[A-Za-z][-A-Za-z0-9_]*$/
46
+
package/src/methods/sanitize-html.method.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import xss from 'xss'
2
- import { ALLOWED_ATTRIBUTES } from '../consts'
2
+ import {ALLOWED_ATTRIBUTES, ID_WHITELIST} from '../consts'
3
3
 
4
4
  const decodeEntities = (input: string): string =>
5
5
  input
@@ -19,7 +19,9 @@ export function sanitizeHtml(html: string): string {
19
19
  if (tag === 'img' && name === 'src' && (!/^https?:\/\//.test(decoded) || decoded.startsWith('javascript:'))) return '';
20
20
  if (tag === 'img' && ['dynsrc', 'lowsrc'].includes(name)) return '';
21
21
  if (tag === 'span' && name === 'class' && value === 'wr') return '';
22
-
22
+ if (name === 'id') {
23
+ if (!ID_WHITELIST.test(decoded)) return '';
24
+ }
23
25
  return undefined;
24
26
  }
25
27
  });