@heliosgraphics/ui 2.0.1-alpha.5 → 2.0.1-alpha.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/utils/markdown.spec.ts +30 -0
- package/utils/markdown.ts +14 -1
package/package.json
CHANGED
package/utils/markdown.spec.ts
CHANGED
|
@@ -5,7 +5,37 @@ describe("markdown", () => {
|
|
|
5
5
|
describe("renderMarkdown", () => {
|
|
6
6
|
const SAMPLE = `Hello\n\nHey`
|
|
7
7
|
const SAMPLE_OUTPUT = `<p>Hello</p>\n<p>Hey</p>\n`
|
|
8
|
+
const MALICIOUS_SAMPLE = `Hello <script>alert(1)</script> **world**`
|
|
9
|
+
const MALICIOUS_SAMPLE_OUTPUT = `<p>Hello <strong>world</strong></p>`
|
|
10
|
+
const MALICIOUS_LINK_SAMPLE = `[x](data:text/html,<script>alert(1)</script>)`
|
|
11
|
+
const MALICIOUS_LINK_SAMPLE_OUTPUT = `<p>x</p>\n`
|
|
12
|
+
const MALICIOUS_EVENT_HANDLER_SAMPLE = `<div onclick="alert(1)">hi</div>`
|
|
13
|
+
const MALICIOUS_EVENT_HANDLER_SAMPLE_OUTPUT = `<div>hi</div>`
|
|
8
14
|
|
|
9
15
|
it("Returns", () => expect(renderMarkdown(SAMPLE)).toEqual(SAMPLE_OUTPUT))
|
|
16
|
+
|
|
17
|
+
it("strips unsafe html from markdown output", () => {
|
|
18
|
+
const result = renderMarkdown(MALICIOUS_SAMPLE)
|
|
19
|
+
|
|
20
|
+
expect(result).toContain(MALICIOUS_SAMPLE_OUTPUT)
|
|
21
|
+
expect(result).not.toContain("<script")
|
|
22
|
+
expect(result).not.toContain("alert(1)")
|
|
23
|
+
})
|
|
24
|
+
|
|
25
|
+
it("strips unsafe link protocols without leaving broken markup", () => {
|
|
26
|
+
const result = renderMarkdown(MALICIOUS_LINK_SAMPLE)
|
|
27
|
+
|
|
28
|
+
expect(result).toEqual(MALICIOUS_LINK_SAMPLE_OUTPUT)
|
|
29
|
+
expect(result).not.toContain("data:")
|
|
30
|
+
expect(result).not.toContain("<script")
|
|
31
|
+
})
|
|
32
|
+
|
|
33
|
+
it("removes inline event handler attributes from raw html", () => {
|
|
34
|
+
const result = renderMarkdown(MALICIOUS_EVENT_HANDLER_SAMPLE)
|
|
35
|
+
|
|
36
|
+
expect(result).toEqual(MALICIOUS_EVENT_HANDLER_SAMPLE_OUTPUT)
|
|
37
|
+
expect(result).not.toContain("onclick")
|
|
38
|
+
expect(result).not.toContain("alert(1)")
|
|
39
|
+
})
|
|
10
40
|
})
|
|
11
41
|
})
|
package/utils/markdown.ts
CHANGED
|
@@ -1,10 +1,23 @@
|
|
|
1
1
|
import { Marked } from "marked"
|
|
2
2
|
import { markedXhtml } from "marked-xhtml"
|
|
3
3
|
import markedLinkifyIt from "marked-linkify-it"
|
|
4
|
+
import { sanitizeText } from "@heliosgraphics/utils"
|
|
4
5
|
|
|
5
6
|
const marked = new Marked({ breaks: true, gfm: true })
|
|
7
|
+
const SAFE_MARKDOWN_LINK_PATTERN: RegExp = /^(?:https?:|mailto:|tel:|\/|#)/i
|
|
6
8
|
|
|
7
9
|
marked.use(markedXhtml())
|
|
8
10
|
marked.use(markedLinkifyIt())
|
|
9
11
|
|
|
10
|
-
|
|
12
|
+
const stripUnsafeMarkdownLinks = (html: string): string => {
|
|
13
|
+
return html.replace(/<a\b[^>]*href="([^"]*)"[^>]*>(.*?)<\/a>/gi, (match: string, href: string, text: string) => {
|
|
14
|
+
return SAFE_MARKDOWN_LINK_PATTERN.test(href) ? match : text
|
|
15
|
+
})
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
export const renderMarkdown = (text: string): string => {
|
|
19
|
+
const renderedMarkdown: string = marked.parse(text) as string
|
|
20
|
+
const sanitizedMarkdown: string = sanitizeText(stripUnsafeMarkdownLinks(renderedMarkdown))
|
|
21
|
+
|
|
22
|
+
return renderedMarkdown.endsWith("\n") ? `${sanitizedMarkdown}\n` : sanitizedMarkdown
|
|
23
|
+
}
|