@heliosgraphics/utils 6.0.0-alpha.17 → 6.0.0-alpha.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/sanitize.ts +15 -4
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@heliosgraphics/utils",
|
|
3
|
-
"version": "6.0.0-alpha.
|
|
3
|
+
"version": "6.0.0-alpha.19",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"sideEffects": false,
|
|
6
6
|
"author": "Chris Puska <chris@puska.org>",
|
|
@@ -27,6 +27,6 @@
|
|
|
27
27
|
"url": "https://github.com/heliosgraphics/helios-ui/issues"
|
|
28
28
|
},
|
|
29
29
|
"devDependencies": {
|
|
30
|
-
"@types/node": "^
|
|
30
|
+
"@types/node": "^26"
|
|
31
31
|
}
|
|
32
32
|
}
|
package/sanitize.ts
CHANGED
|
@@ -25,6 +25,9 @@ const ALLOWED_TAGS = new Set([
|
|
|
25
25
|
const ALLOWED_ATTRIBUTES = new Set(["class", "id", "title"])
|
|
26
26
|
|
|
27
27
|
const SAFE_PROTOCOLS = /^(https?|mailto|tel|ftp):/i
|
|
28
|
+
const UNSAFE_PROTOCOLS = new Set(["data", "javascript", "livescript", "mocha", "vbscript"])
|
|
29
|
+
const EMOJI_CLUSTER_LEFT_PATTERN: RegExp = /\p{Extended_Pictographic}(?:\uFE0F|[\u{1F3FB}-\u{1F3FF}])*$/u
|
|
30
|
+
const EMOJI_CLUSTER_RIGHT_PATTERN: RegExp = /^\p{Extended_Pictographic}/u
|
|
28
31
|
|
|
29
32
|
interface SanitizeTextOptions {
|
|
30
33
|
allowLinks?: boolean
|
|
@@ -85,6 +88,15 @@ const DANGEROUS_FUNCTIONS: Array<RegExp> = [
|
|
|
85
88
|
/createElement\s*\(\s*["']script["']\s*\)/gi,
|
|
86
89
|
]
|
|
87
90
|
|
|
91
|
+
const stripUnsafeZeroWidthCharacter = (character: string, index: number, text: string): string => {
|
|
92
|
+
if (character !== "\u200D") return ""
|
|
93
|
+
|
|
94
|
+
const leftText: string = text.slice(0, index)
|
|
95
|
+
const rightText: string = text.slice(index + character.length)
|
|
96
|
+
|
|
97
|
+
return EMOJI_CLUSTER_LEFT_PATTERN.test(leftText) && EMOJI_CLUSTER_RIGHT_PATTERN.test(rightText) ? character : ""
|
|
98
|
+
}
|
|
99
|
+
|
|
88
100
|
export const sanitizeText = (input: string = "", options: SanitizeTextOptions = {}): string => {
|
|
89
101
|
if (!input) return ""
|
|
90
102
|
|
|
@@ -95,7 +107,6 @@ export const sanitizeText = (input: string = "", options: SanitizeTextOptions =
|
|
|
95
107
|
.replace(/<!--[\s\S]*?-->/g, "")
|
|
96
108
|
.replace(/\\[0-9a-f]{1,6}\s*/gi, "")
|
|
97
109
|
.replace(/<img[^>]*src\s*=\s*["']data:[^"']*["'][^>]*>/gi, "")
|
|
98
|
-
.replace(/data\s*:[^"'\s>)]*/gi, "")
|
|
99
110
|
|
|
100
111
|
// Then decode entities
|
|
101
112
|
sanitized = sanitized
|
|
@@ -140,7 +151,7 @@ export const sanitizeText = (input: string = "", options: SanitizeTextOptions =
|
|
|
140
151
|
}
|
|
141
152
|
|
|
142
153
|
sanitized = sanitized
|
|
143
|
-
.replace(/[\u200B-\u200D\uFEFF]/g,
|
|
154
|
+
.replace(/[\u200B-\u200D\uFEFF]/g, stripUnsafeZeroWidthCharacter)
|
|
144
155
|
// eslint-disable-next-line no-control-regex
|
|
145
156
|
.replace(/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F-\u009F]/g, "")
|
|
146
157
|
.replace(/[\u202A-\u202E]/g, "")
|
|
@@ -154,11 +165,11 @@ export const sanitizeText = (input: string = "", options: SanitizeTextOptions =
|
|
|
154
165
|
sanitized = sanitized.replace(/<style\b[^>]*>[\s\S]*$/gi, "")
|
|
155
166
|
|
|
156
167
|
sanitized = sanitized.replace(
|
|
157
|
-
/(\w+(?:[\s\u00A0]*\w)*)\s*(?::|:|:|%3a|%3A|\\:|:)/gi,
|
|
168
|
+
/(\w+(?:[\s\u00A0]*\w)*)\s*(?::|:|:|%3a|%3A|\\:|:)(?=\S)/gi,
|
|
158
169
|
(_: string, protocol: string) => {
|
|
159
170
|
const cleanProtocol = protocol.replace(/[\s\u00A0]/g, "").toLowerCase()
|
|
160
171
|
const testString = cleanProtocol + ":"
|
|
161
|
-
return SAFE_PROTOCOLS.test(testString) ? testString : ""
|
|
172
|
+
return SAFE_PROTOCOLS.test(testString) || !UNSAFE_PROTOCOLS.has(cleanProtocol) ? testString : ""
|
|
162
173
|
},
|
|
163
174
|
)
|
|
164
175
|
|