@heliosgraphics/utils 6.0.0-alpha.14 → 6.0.0-alpha.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/clipboard.ts +5 -1
- package/package.json +1 -1
- package/sanitize.ts +16 -2
package/clipboard.ts
CHANGED
|
@@ -1,9 +1,13 @@
|
|
|
1
1
|
export const copyValue = async (text: string): Promise<void> => {
|
|
2
|
-
if (navigator
|
|
2
|
+
if (typeof navigator !== "undefined" && navigator.clipboard?.writeText) {
|
|
3
3
|
await navigator.clipboard.writeText(text)
|
|
4
4
|
return
|
|
5
5
|
}
|
|
6
6
|
|
|
7
|
+
if (typeof document === "undefined" || !document.body || typeof document.execCommand !== "function") {
|
|
8
|
+
return
|
|
9
|
+
}
|
|
10
|
+
|
|
7
11
|
const input: HTMLTextAreaElement = document.createElement("textarea")
|
|
8
12
|
|
|
9
13
|
document.body.appendChild(input)
|
package/package.json
CHANGED
package/sanitize.ts
CHANGED
|
@@ -26,6 +26,10 @@ const ALLOWED_ATTRIBUTES = new Set(["class", "id", "title"])
|
|
|
26
26
|
|
|
27
27
|
const SAFE_PROTOCOLS = /^(https?|mailto|tel|ftp):/i
|
|
28
28
|
|
|
29
|
+
interface SanitizeTextOptions {
|
|
30
|
+
allowLinks?: boolean
|
|
31
|
+
}
|
|
32
|
+
|
|
29
33
|
const DANGEROUS_FUNCTIONS: Array<RegExp> = [
|
|
30
34
|
/alert(?=\s*\()/gi,
|
|
31
35
|
/eval(?=\s*\()/gi,
|
|
@@ -81,9 +85,11 @@ const DANGEROUS_FUNCTIONS: Array<RegExp> = [
|
|
|
81
85
|
/createElement\s*\(\s*["']script["']\s*\)/gi,
|
|
82
86
|
]
|
|
83
87
|
|
|
84
|
-
export const sanitizeText = (input: string = ""): string => {
|
|
88
|
+
export const sanitizeText = (input: string = "", options: SanitizeTextOptions = {}): string => {
|
|
85
89
|
if (!input) return ""
|
|
86
90
|
|
|
91
|
+
const { allowLinks = false } = options
|
|
92
|
+
|
|
87
93
|
// First remove dangerous patterns before decoding
|
|
88
94
|
let sanitized = input
|
|
89
95
|
.replace(/<!--[\s\S]*?-->/g, "")
|
|
@@ -162,7 +168,7 @@ export const sanitizeText = (input: string = ""): string => {
|
|
|
162
168
|
(_fullMatch: string, closing: string, tagName: string, attributes: string) => {
|
|
163
169
|
const tag = tagName.toLowerCase()
|
|
164
170
|
|
|
165
|
-
if (!ALLOWED_TAGS.has(tag)) {
|
|
171
|
+
if (!ALLOWED_TAGS.has(tag) && !(allowLinks && tag === "a")) {
|
|
166
172
|
return ""
|
|
167
173
|
}
|
|
168
174
|
|
|
@@ -193,6 +199,10 @@ export const sanitizeText = (input: string = ""): string => {
|
|
|
193
199
|
|
|
194
200
|
cleanAttributes += ` ${attrName}="${cleanValue}"`
|
|
195
201
|
}
|
|
202
|
+
|
|
203
|
+
if (allowLinks && tag === "a" && attrName === "href" && SAFE_PROTOCOLS.test(attrValue)) {
|
|
204
|
+
cleanAttributes += ` href="${attrValue}"`
|
|
205
|
+
}
|
|
196
206
|
}
|
|
197
207
|
})
|
|
198
208
|
}
|
|
@@ -208,6 +218,10 @@ export const sanitizeText = (input: string = ""): string => {
|
|
|
208
218
|
sanitized = sanitized.replace(pattern, "")
|
|
209
219
|
})
|
|
210
220
|
|
|
221
|
+
if (allowLinks) {
|
|
222
|
+
sanitized = sanitized.replace(/<a>(.*?)<\/a>/gi, "$1")
|
|
223
|
+
}
|
|
224
|
+
|
|
211
225
|
// Additional targeted cleanup for specific dangerous contexts
|
|
212
226
|
sanitized = sanitized.replace(/\balert\s*(?=[,)])/gi, "")
|
|
213
227
|
sanitized = sanitized.replace(/\bjavascript\s*(?=:)/gi, "")
|