@faststore/api 2.2.0-alpha.6 → 2.2.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api.cjs.development.js +31 -5
- package/dist/api.cjs.development.js.map +1 -1
- package/dist/api.cjs.production.min.js +1 -1
- package/dist/api.cjs.production.min.js.map +1 -1
- package/dist/api.esm.js +31 -5
- package/dist/api.esm.js.map +1 -1
- package/dist/platforms/vtex/utils/sanitizeHtml.d.ts +17 -0
- package/package.json +7 -5
- package/src/platforms/vtex/utils/enhanceSku.ts +11 -1
- package/src/platforms/vtex/utils/sanitizeHtml.ts +21 -0
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import sanitizeHtmlLib from 'sanitize-html';
|
|
2
|
+
/**
|
|
3
|
+
* For now, we're using sanitize-html's default set
|
|
4
|
+
* of allowed tags and attributes, which don't even include img elements
|
|
5
|
+
*
|
|
6
|
+
* It is known many client depends on pontentially vulnerable tags, such as script tags
|
|
7
|
+
* We chose to be restrictive at first, and document those restrictions later.
|
|
8
|
+
*
|
|
9
|
+
* When expanding the set of allowed tags and attributes, please consider performance, privacy and security.
|
|
10
|
+
*
|
|
11
|
+
* This possibily breaks compatibility with Portal and Store Framework,
|
|
12
|
+
* which both allows an enormous amount of tags and attributes
|
|
13
|
+
*
|
|
14
|
+
* This was a thoughtful decision that can be reviewed in the future given
|
|
15
|
+
* research was made to back up those changes.
|
|
16
|
+
*/
|
|
17
|
+
export declare const sanitizeHtml: (dirty: Parameters<typeof sanitizeHtmlLib>[0], options?: Parameters<typeof sanitizeHtmlLib>[1]) => string;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@faststore/api",
|
|
3
|
-
"version": "2.2.
|
|
3
|
+
"version": "2.2.16",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"typings": "dist/index.d.ts",
|
|
@@ -32,15 +32,17 @@
|
|
|
32
32
|
"dataloader": "^2.1.0",
|
|
33
33
|
"fast-deep-equal": "^3.1.3",
|
|
34
34
|
"isomorphic-unfetch": "^3.1.0",
|
|
35
|
-
"p-limit": "^3.1.0"
|
|
35
|
+
"p-limit": "^3.1.0",
|
|
36
|
+
"sanitize-html": "^2.11.0"
|
|
36
37
|
},
|
|
37
38
|
"devDependencies": {
|
|
38
39
|
"@envelop/core": "^2.6.0",
|
|
39
|
-
"@faststore/eslint-config": "^2.2.
|
|
40
|
-
"@faststore/shared": "^2.2.
|
|
40
|
+
"@faststore/eslint-config": "^2.2.16",
|
|
41
|
+
"@faststore/shared": "^2.2.16",
|
|
41
42
|
"@graphql-codegen/cli": "2.2.0",
|
|
42
43
|
"@graphql-codegen/typescript": "2.2.2",
|
|
43
44
|
"@types/express": "^4.17.16",
|
|
45
|
+
"@types/sanitize-html": "^2.9.1",
|
|
44
46
|
"concurrently": "^6.2.1",
|
|
45
47
|
"eslint": "7.32.0",
|
|
46
48
|
"express": "^4.17.3",
|
|
@@ -56,5 +58,5 @@
|
|
|
56
58
|
"@envelop/core": "^1 || ^2",
|
|
57
59
|
"graphql": "^15.6.0"
|
|
58
60
|
},
|
|
59
|
-
"gitHead": "
|
|
61
|
+
"gitHead": "4ecdc351834e7d73981508a3b22e3fc04cb19b2c"
|
|
60
62
|
}
|
|
@@ -1,8 +1,18 @@
|
|
|
1
1
|
import type { Product, Item } from '../clients/search/types/ProductSearchResult'
|
|
2
|
+
import { sanitizeHtml } from './sanitizeHtml'
|
|
2
3
|
|
|
3
4
|
export type EnhancedSku = Item & { isVariantOf: Product }
|
|
4
5
|
|
|
6
|
+
function sanitizeProduct(product: Product): Product {
|
|
7
|
+
return {
|
|
8
|
+
...product,
|
|
9
|
+
description: product.description
|
|
10
|
+
? sanitizeHtml(product.description)
|
|
11
|
+
: product.description,
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
|
|
5
15
|
export const enhanceSku = (item: Item, product: Product): EnhancedSku => ({
|
|
6
16
|
...item,
|
|
7
|
-
isVariantOf: product,
|
|
17
|
+
isVariantOf: sanitizeProduct(product),
|
|
8
18
|
})
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import sanitizeHtmlLib from 'sanitize-html'
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* For now, we're using sanitize-html's default set
|
|
5
|
+
* of allowed tags and attributes, which don't even include img elements
|
|
6
|
+
*
|
|
7
|
+
* It is known many client depends on pontentially vulnerable tags, such as script tags
|
|
8
|
+
* We chose to be restrictive at first, and document those restrictions later.
|
|
9
|
+
*
|
|
10
|
+
* When expanding the set of allowed tags and attributes, please consider performance, privacy and security.
|
|
11
|
+
*
|
|
12
|
+
* This possibily breaks compatibility with Portal and Store Framework,
|
|
13
|
+
* which both allows an enormous amount of tags and attributes
|
|
14
|
+
*
|
|
15
|
+
* This was a thoughtful decision that can be reviewed in the future given
|
|
16
|
+
* research was made to back up those changes.
|
|
17
|
+
*/
|
|
18
|
+
export const sanitizeHtml = (
|
|
19
|
+
dirty: Parameters<typeof sanitizeHtmlLib>[0],
|
|
20
|
+
options?: Parameters<typeof sanitizeHtmlLib>[1]
|
|
21
|
+
) => sanitizeHtmlLib(dirty, options)
|