@faststore/api 2.2.0-alpha.6 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api.cjs.development.js +31 -5
- package/dist/api.cjs.development.js.map +1 -1
- package/dist/api.cjs.production.min.js +1 -1
- package/dist/api.cjs.production.min.js.map +1 -1
- package/dist/api.esm.js +31 -5
- package/dist/api.esm.js.map +1 -1
- package/dist/platforms/vtex/utils/sanitizeHtml.d.ts +17 -0
- package/package.json +7 -5
- package/src/platforms/vtex/utils/enhanceSku.ts +11 -1
- package/src/platforms/vtex/utils/sanitizeHtml.ts +21 -0
|
@@ -6,6 +6,7 @@ var schema = require('@graphql-tools/schema');
|
|
|
6
6
|
var fetch = _interopDefault(require('isomorphic-unfetch'));
|
|
7
7
|
var DataLoader = _interopDefault(require('dataloader'));
|
|
8
8
|
var pLimit = _interopDefault(require('p-limit'));
|
|
9
|
+
var sanitizeHtmlLib = _interopDefault(require('sanitize-html'));
|
|
9
10
|
var deepEquals = _interopDefault(require('fast-deep-equal'));
|
|
10
11
|
var crypto = _interopDefault(require('crypto'));
|
|
11
12
|
var graphql = require('graphql');
|
|
@@ -22,7 +23,7 @@ var api = require('@opentelemetry/api');
|
|
|
22
23
|
var apiLogs = require('@opentelemetry/api-logs');
|
|
23
24
|
|
|
24
25
|
var name = "@faststore/api";
|
|
25
|
-
var version = "2.2.0
|
|
26
|
+
var version = "2.2.0";
|
|
26
27
|
var license = "MIT";
|
|
27
28
|
var main = "dist/index.js";
|
|
28
29
|
var typings = "dist/index.d.ts";
|
|
@@ -54,15 +55,17 @@ var dependencies = {
|
|
|
54
55
|
dataloader: "^2.1.0",
|
|
55
56
|
"fast-deep-equal": "^3.1.3",
|
|
56
57
|
"isomorphic-unfetch": "^3.1.0",
|
|
57
|
-
"p-limit": "^3.1.0"
|
|
58
|
+
"p-limit": "^3.1.0",
|
|
59
|
+
"sanitize-html": "^2.11.0"
|
|
58
60
|
};
|
|
59
61
|
var devDependencies = {
|
|
60
62
|
"@envelop/core": "^2.6.0",
|
|
61
|
-
"@faststore/eslint-config": "^2.2.0
|
|
62
|
-
"@faststore/shared": "^2.2.0
|
|
63
|
+
"@faststore/eslint-config": "^2.2.0",
|
|
64
|
+
"@faststore/shared": "^2.2.0",
|
|
63
65
|
"@graphql-codegen/cli": "2.2.0",
|
|
64
66
|
"@graphql-codegen/typescript": "2.2.2",
|
|
65
67
|
"@types/express": "^4.17.16",
|
|
68
|
+
"@types/sanitize-html": "^2.9.1",
|
|
66
69
|
concurrently: "^6.2.1",
|
|
67
70
|
eslint: "7.32.0",
|
|
68
71
|
express: "^4.17.3",
|
|
@@ -515,9 +518,32 @@ const getSimulationLoader = (_, clients) => {
|
|
|
515
518
|
});
|
|
516
519
|
};
|
|
517
520
|
|
|
521
|
+
/**
|
|
522
|
+
* For now, we're using sanitize-html's default set
|
|
523
|
+
* of allowed tags and attributes, which don't even include img elements
|
|
524
|
+
*
|
|
525
|
+
* It is known many client depends on pontentially vulnerable tags, such as script tags
|
|
526
|
+
* We chose to be restrictive at first, and document those restrictions later.
|
|
527
|
+
*
|
|
528
|
+
* When expanding the set of allowed tags and attributes, please consider performance, privacy and security.
|
|
529
|
+
*
|
|
530
|
+
* This possibily breaks compatibility with Portal and Store Framework,
|
|
531
|
+
* which both allows an enormous amount of tags and attributes
|
|
532
|
+
*
|
|
533
|
+
* This was a thoughtful decision that can be reviewed in the future given
|
|
534
|
+
* research was made to back up those changes.
|
|
535
|
+
*/
|
|
536
|
+
const sanitizeHtml = (dirty, options) => sanitizeHtmlLib(dirty, options);
|
|
537
|
+
|
|
538
|
+
function sanitizeProduct(product) {
|
|
539
|
+
return {
|
|
540
|
+
...product,
|
|
541
|
+
description: product.description ? sanitizeHtml(product.description) : product.description
|
|
542
|
+
};
|
|
543
|
+
}
|
|
518
544
|
const enhanceSku = (item, product) => ({
|
|
519
545
|
...item,
|
|
520
|
-
isVariantOf: product
|
|
546
|
+
isVariantOf: sanitizeProduct(product)
|
|
521
547
|
});
|
|
522
548
|
|
|
523
549
|
class FastStoreError extends Error {
|