nca-ai-cms-astro-plugin 1.0.0

package/src/utils/markdown.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect } from "vitest";
+import { renderMarkdown } from "./markdown.js";
+
+describe("renderMarkdown", () => {
+  it("converts a heading to an h1 tag", async () => {
+    const result = await renderMarkdown("# Hello");
+    expect(result).toContain("<h1>Hello</h1>");
+  });
+
+  it("converts h2 and h3 headings", async () => {
+    const result = await renderMarkdown("## Two\n\n### Three");
+    expect(result).toContain("<h2>Two</h2>");
+    expect(result).toContain("<h3>Three</h3>");
+  });
+
+  it("converts markdown links to anchor tags", async () => {
+    const result = await renderMarkdown("[Example](https://example.com)");
+    expect(result).toContain('<a href="https://example.com">Example</a>');
+  });
+
+  it("converts markdown images to img tags", async () => {
+    const result = await renderMarkdown(
+      "![Alt text](https://example.com/img.png)",
+    );
+    expect(result).toContain("<img");
+    expect(result).toContain('src="https://example.com/img.png"');
+    expect(result).toContain('alt="Alt text"');
+  });
+
+  it("strips script tags injected via markdown", async () => {
+    const result = await renderMarkdown(
+      'Hello <script>alert("xss")</script> world',
+    );
+    expect(result).not.toContain("<script>");
+    expect(result).not.toContain("alert");
+  });
+
+  it("strips event handlers from inline HTML", async () => {
+    const result = await renderMarkdown(
+      '<p onclick="alert(1)">Click</p>',
+    );
+    expect(result).not.toContain("onclick");
+    expect(result).toContain("Click");
+  });
+
+  it("returns empty string for empty input", async () => {
+    const result = await renderMarkdown("");
+    expect(result).toBe("");
+  });
+
+  it("converts blockquotes", async () => {
+    const result = await renderMarkdown("> A wise quote");
+    expect(result).toContain("<blockquote>");
+    expect(result).toContain("A wise quote");
+  });
+
+  it("converts inline formatting (bold, italic, strikethrough)", async () => {
+    const result = await renderMarkdown(
+      "**bold** *italic* ~~deleted~~",
+    );
+    expect(result).toContain("<strong>bold</strong>");
+    expect(result).toContain("<em>italic</em>");
+    expect(result).toContain("<del>deleted</del>");
+  });
+});

package/src/utils/markdown.ts

@@ -0,0 +1,13 @@
+import { marked } from "marked";
+import { sanitizeMarkdownHtml } from "./sanitize.js";
+
+/**
+ * Converts a markdown string to sanitized HTML.
+ *
+ * Always use this function instead of calling `marked()` directly --
+ * bare marked output is unsanitized and vulnerable to XSS.
+ */
+export async function renderMarkdown(markdown: string): Promise<string> {
+  const rawHtml = await marked(markdown);
+  return sanitizeMarkdownHtml(rawHtml);
+}

package/src/utils/sanitize.test.ts

@@ -0,0 +1,180 @@
+import { describe, it, expect } from "vitest";
+import {
+  sanitizeMarkdownHtml,
+  escapeJsonLd,
+  escapeHtml,
+} from "./sanitize.js";
+
+describe("sanitizeMarkdownHtml", () => {
+  // --- Safe HTML preservation ---
+
+  it("preserves basic paragraph content", () => {
+    const html = "<p>Hello world</p>";
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves headings h1 through h6", () => {
+    for (let i = 1; i <= 6; i++) {
+      const html = `<h${i}>Heading ${i}</h${i}>`;
+      expect(sanitizeMarkdownHtml(html)).toBe(html);
+    }
+  });
+
+  it("preserves inline formatting tags", () => {
+    const html =
+      "<p><strong>bold</strong> <em>italic</em> <b>b</b> <i>i</i> <del>del</del> <s>strike</s></p>";
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves sub, sup, and mark tags", () => {
+    const html = "<p><sub>sub</sub> <sup>sup</sup> <mark>marked</mark></p>";
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves links with permitted attributes", () => {
+    const html =
+      '<p><a href="https://example.com" title="Example" target="_blank" rel="noopener">link</a></p>';
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves images with permitted attributes", () => {
+    const html =
+      '<img src="https://example.com/img.png" alt="photo" title="Photo" width="100" height="50" loading="lazy" />';
+    expect(sanitizeMarkdownHtml(html)).toContain('src="https://example.com/img.png"');
+    expect(sanitizeMarkdownHtml(html)).toContain('alt="photo"');
+    expect(sanitizeMarkdownHtml(html)).toContain('loading="lazy"');
+  });
+
+  it("preserves images with data: scheme", () => {
+    const html = '<img src="data:image/png;base64,abc123" alt="inline" />';
+    expect(sanitizeMarkdownHtml(html)).toContain("data:image/png;base64,abc123");
+  });
+
+  it("preserves code blocks with class attribute", () => {
+    const html = '<pre class="language-ts"><code class="language-ts">const x = 1;</code></pre>';
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves unordered and ordered lists", () => {
+    const ul = "<ul><li>one</li><li>two</li></ul>";
+    const ol = "<ol><li>first</li><li>second</li></ol>";
+    expect(sanitizeMarkdownHtml(ul)).toBe(ul);
+    expect(sanitizeMarkdownHtml(ol)).toBe(ol);
+  });
+
+  it("preserves definition lists (dl, dt, dd)", () => {
+    const html = "<dl><dt>Term</dt><dd>Definition</dd></dl>";
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves table elements with align attribute", () => {
+    const html =
+      '<table><thead><tr><th align="left">Col</th></tr></thead><tbody><tr><td align="right">Val</td></tr></tbody></table>';
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves blockquote, hr, and br tags", () => {
+    const html = "<blockquote><p>Quote</p></blockquote><hr /><br />";
+    expect(sanitizeMarkdownHtml(html)).toContain("<blockquote>");
+    expect(sanitizeMarkdownHtml(html)).toContain("<hr");
+    expect(sanitizeMarkdownHtml(html)).toContain("<br");
+  });
+
+  it("preserves id attribute on any element", () => {
+    const html = '<h2 id="section-one">Section One</h2>';
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves div tags", () => {
+    const html = "<div><p>Content</p></div>";
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  it("preserves mailto links", () => {
+    const html = '<a href="mailto:test@example.com">Email</a>';
+    expect(sanitizeMarkdownHtml(html)).toBe(html);
+  });
+
+  // --- XSS stripping ---
+
+  it("strips script tags", () => {
+    const html = '<p>Hello</p><script>alert("xss")</script>';
+    expect(sanitizeMarkdownHtml(html)).toBe("<p>Hello</p>");
+  });
+
+  it("strips event handler attributes", () => {
+    const html = '<p onclick="alert(1)">Click me</p>';
+    expect(sanitizeMarkdownHtml(html)).toBe("<p>Click me</p>");
+  });
+
+  it("strips javascript: scheme in links", () => {
+    const html = '<a href="javascript:alert(1)">XSS</a>';
+    expect(sanitizeMarkdownHtml(html)).not.toContain("javascript:");
+  });
+
+  it("strips iframe tags", () => {
+    const html = '<iframe src="https://evil.com"></iframe>';
+    expect(sanitizeMarkdownHtml(html)).toBe("");
+  });
+
+  it("strips style tags", () => {
+    const html = "<style>body { display: none; }</style><p>Text</p>";
+    expect(sanitizeMarkdownHtml(html)).toBe("<p>Text</p>");
+  });
+
+  it("strips disallowed attributes from allowed tags", () => {
+    const html = '<p style="color:red" data-custom="x">Text</p>';
+    expect(sanitizeMarkdownHtml(html)).toBe("<p>Text</p>");
+  });
+});
+
+describe("escapeJsonLd", () => {
+  it("escapes closing script tags", () => {
+    const input = '{"name":"</script>"}';
+    const result = escapeJsonLd(input);
+    expect(result).not.toContain("</script>");
+    expect(result).toContain("<\\/script>");
+  });
+
+  it("escapes closing script tags case-insensitively", () => {
+    const input = '{"x":"</SCRIPT>"}';
+    const result = escapeJsonLd(input);
+    expect(result).not.toMatch(/<\/script>/i);
+  });
+
+  it("escapes HTML comments", () => {
+    const input = '{"comment":"<!-- hidden -->"}';
+    const result = escapeJsonLd(input);
+    expect(result).not.toContain("<!--");
+    expect(result).toContain("<\\!--");
+  });
+
+  it("returns unchanged string when nothing to escape", () => {
+    const input = '{"name":"Safe String"}';
+    expect(escapeJsonLd(input)).toBe(input);
+  });
+});
+
+describe("escapeHtml", () => {
+  it("escapes ampersands", () => {
+    expect(escapeHtml("a & b")).toBe("a &amp; b");
+  });
+
+  it("escapes less-than and greater-than signs", () => {
+    expect(escapeHtml("<div>")).toBe("&lt;div&gt;");
+  });
+
+  it("escapes double quotes", () => {
+    expect(escapeHtml('"hello"')).toBe("&quot;hello&quot;");
+  });
+
+  it("escapes single quotes", () => {
+    expect(escapeHtml("it's")).toBe("it&#039;s");
+  });
+
+  it("escapes all special characters together", () => {
+    expect(escapeHtml('<a href="x">&\'')).toBe(
+      "&lt;a href=&quot;x&quot;&gt;&amp;&#039;",
+    );
+  });
+});

package/src/utils/sanitize.ts

@@ -0,0 +1,98 @@
+import sanitize from "sanitize-html";
+
+const MARKDOWN_ALLOWED_TAGS: string[] = [
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "p",
+  "blockquote",
+  "pre",
+  "code",
+  "ul",
+  "ol",
+  "li",
+  "table",
+  "thead",
+  "tbody",
+  "tfoot",
+  "tr",
+  "th",
+  "td",
+  "caption",
+  "colgroup",
+  "col",
+  "hr",
+  "br",
+  "div",
+  "a",
+  "strong",
+  "em",
+  "b",
+  "i",
+  "del",
+  "s",
+  "sub",
+  "sup",
+  "mark",
+  "img",
+  "dl",
+  "dt",
+  "dd",
+];
+
+const MARKDOWN_ALLOWED_ATTRIBUTES: Record<string, string[]> = {
+  a: ["href", "title", "target", "rel"],
+  img: ["src", "alt", "title", "width", "height", "loading"],
+  td: ["align"],
+  th: ["align"],
+  code: ["class"],
+  pre: ["class"],
+  "*": ["id"],
+};
+
+const MARKDOWN_ALLOWED_SCHEMES: Record<string, string[]> = {
+  a: ["http", "https", "mailto"],
+  img: ["http", "https", "data"],
+};
+
+/**
+ * Sanitizes HTML produced from markdown rendering using an allowlist approach.
+ * Strips all tags, attributes, and URI schemes not explicitly permitted.
+ */
+export function sanitizeMarkdownHtml(dirtyHtml: string): string {
+  return sanitize(dirtyHtml, {
+    allowedTags: MARKDOWN_ALLOWED_TAGS,
+    allowedAttributes: MARKDOWN_ALLOWED_ATTRIBUTES,
+    allowedSchemes: MARKDOWN_ALLOWED_SCHEMES.a,
+    allowedSchemesByTag: MARKDOWN_ALLOWED_SCHEMES,
+    allowProtocolRelative: false,
+  });
+}
+
+/**
+ * Escapes dangerous sequences in a JSON string intended for embedding
+ * inside a `<script type="application/ld+json">` block.
+ *
+ * Prevents premature script tag closure and HTML comment injection.
+ */
+export function escapeJsonLd(jsonString: string): string {
+  return jsonString
+    .replace(/<\/script/gi, "<\\/script")
+    .replace(/<!--/g, "<\\!--");
+}
+
+/**
+ * Encodes special HTML characters as entities.
+ * Use for interpolating untrusted text into HTML element content.
+ */
+export function escapeHtml(unsafe: string): string {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}

package/tsconfig.json

@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ES2022",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "jsx": "react-jsx",
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["dist", "node_modules", "**/*.test.ts"]
+}

package/vitest.config.ts

@@ -0,0 +1,14 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    include: ['src/**/*.test.ts', 'src/**/*.spec.ts'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'html'],
+      exclude: ['node_modules/', '**/*.d.ts'],
+    },
+  },
+});