@faststore/api 2.2.0-alpha.6 → 2.2.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api.cjs.development.js +31 -5
- package/dist/api.cjs.development.js.map +1 -1
- package/dist/api.cjs.production.min.js +1 -1
- package/dist/api.cjs.production.min.js.map +1 -1
- package/dist/api.esm.js +31 -5
- package/dist/api.esm.js.map +1 -1
- package/dist/platforms/vtex/utils/sanitizeHtml.d.ts +17 -0
- package/package.json +7 -5
- package/src/platforms/vtex/utils/enhanceSku.ts +11 -1
- package/src/platforms/vtex/utils/sanitizeHtml.ts +21 -0
package/dist/api.esm.js
CHANGED
|
@@ -2,6 +2,7 @@ import { makeExecutableSchema } from '@graphql-tools/schema';
|
|
|
2
2
|
import fetch from 'isomorphic-unfetch';
|
|
3
3
|
import DataLoader from 'dataloader';
|
|
4
4
|
import pLimit from 'p-limit';
|
|
5
|
+
import sanitizeHtmlLib from 'sanitize-html';
|
|
5
6
|
import deepEquals from 'fast-deep-equal';
|
|
6
7
|
import crypto from 'crypto';
|
|
7
8
|
import { GraphQLScalarType, print, Kind as Kind$1 } from 'graphql';
|
|
@@ -18,7 +19,7 @@ import { trace, context, SpanKind } from '@opentelemetry/api';
|
|
|
18
19
|
import { SeverityNumber } from '@opentelemetry/api-logs';
|
|
19
20
|
|
|
20
21
|
var name = "@faststore/api";
|
|
21
|
-
var version = "2.2.0
|
|
22
|
+
var version = "2.2.0";
|
|
22
23
|
var license = "MIT";
|
|
23
24
|
var main = "dist/index.js";
|
|
24
25
|
var typings = "dist/index.d.ts";
|
|
@@ -50,15 +51,17 @@ var dependencies = {
|
|
|
50
51
|
dataloader: "^2.1.0",
|
|
51
52
|
"fast-deep-equal": "^3.1.3",
|
|
52
53
|
"isomorphic-unfetch": "^3.1.0",
|
|
53
|
-
"p-limit": "^3.1.0"
|
|
54
|
+
"p-limit": "^3.1.0",
|
|
55
|
+
"sanitize-html": "^2.11.0"
|
|
54
56
|
};
|
|
55
57
|
var devDependencies = {
|
|
56
58
|
"@envelop/core": "^2.6.0",
|
|
57
|
-
"@faststore/eslint-config": "^2.2.0
|
|
58
|
-
"@faststore/shared": "^2.2.0
|
|
59
|
+
"@faststore/eslint-config": "^2.2.0",
|
|
60
|
+
"@faststore/shared": "^2.2.0",
|
|
59
61
|
"@graphql-codegen/cli": "2.2.0",
|
|
60
62
|
"@graphql-codegen/typescript": "2.2.2",
|
|
61
63
|
"@types/express": "^4.17.16",
|
|
64
|
+
"@types/sanitize-html": "^2.9.1",
|
|
62
65
|
concurrently: "^6.2.1",
|
|
63
66
|
eslint: "7.32.0",
|
|
64
67
|
express: "^4.17.3",
|
|
@@ -511,9 +514,32 @@ const getSimulationLoader = (_, clients) => {
|
|
|
511
514
|
});
|
|
512
515
|
};
|
|
513
516
|
|
|
517
|
+
/**
|
|
518
|
+
* For now, we're using sanitize-html's default set
|
|
519
|
+
* of allowed tags and attributes, which don't even include img elements
|
|
520
|
+
*
|
|
521
|
+
* It is known many client depends on pontentially vulnerable tags, such as script tags
|
|
522
|
+
* We chose to be restrictive at first, and document those restrictions later.
|
|
523
|
+
*
|
|
524
|
+
* When expanding the set of allowed tags and attributes, please consider performance, privacy and security.
|
|
525
|
+
*
|
|
526
|
+
* This possibily breaks compatibility with Portal and Store Framework,
|
|
527
|
+
* which both allows an enormous amount of tags and attributes
|
|
528
|
+
*
|
|
529
|
+
* This was a thoughtful decision that can be reviewed in the future given
|
|
530
|
+
* research was made to back up those changes.
|
|
531
|
+
*/
|
|
532
|
+
const sanitizeHtml = (dirty, options) => sanitizeHtmlLib(dirty, options);
|
|
533
|
+
|
|
534
|
+
function sanitizeProduct(product) {
|
|
535
|
+
return {
|
|
536
|
+
...product,
|
|
537
|
+
description: product.description ? sanitizeHtml(product.description) : product.description
|
|
538
|
+
};
|
|
539
|
+
}
|
|
514
540
|
const enhanceSku = (item, product) => ({
|
|
515
541
|
...item,
|
|
516
|
-
isVariantOf: product
|
|
542
|
+
isVariantOf: sanitizeProduct(product)
|
|
517
543
|
});
|
|
518
544
|
|
|
519
545
|
class FastStoreError extends Error {
|