rimecms 0.25.5 → 0.25.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/util/string.js +12 -3
- package/package.json +1 -1
package/dist/util/string.js
CHANGED
|
@@ -174,6 +174,7 @@ export const sanitize = (value) => {
|
|
|
174
174
|
return value || '';
|
|
175
175
|
if (!parser)
|
|
176
176
|
parser = Parser();
|
|
177
|
+
const WHITESPACE_MARKER = '\uE000';
|
|
177
178
|
const decode = (value) => value
|
|
178
179
|
.replace(/&/g, '&')
|
|
179
180
|
.replace(/"/g, '"')
|
|
@@ -182,12 +183,20 @@ export const sanitize = (value) => {
|
|
|
182
183
|
.replace(/'/g, "'")
|
|
183
184
|
.replace(/'/g, "'")
|
|
184
185
|
.replace(/&/g, '&');
|
|
186
|
+
const encodeTextSpace = (html) => html
|
|
187
|
+
.split(/(<[^>]*>)/g)
|
|
188
|
+
.map((segment) => segment.startsWith('<') && segment.endsWith('>')
|
|
189
|
+
? segment
|
|
190
|
+
: segment.replace(/ /g, WHITESPACE_MARKER))
|
|
191
|
+
.join('');
|
|
192
|
+
const restoreWhitespace = (str) => str.replace(new RegExp(WHITESPACE_MARKER, 'g'), ' ');
|
|
185
193
|
// Decode multiple levels of encoding on input
|
|
186
194
|
let decodedValue = value;
|
|
187
195
|
while (decodedValue.match(/&|"|<|>|'|'|&/)) {
|
|
188
196
|
decodedValue = decode(decodedValue);
|
|
189
197
|
}
|
|
190
|
-
const
|
|
198
|
+
const protectedInput = encodeTextSpace(decodedValue);
|
|
199
|
+
const { root } = parser.parseFromString(protectedInput);
|
|
191
200
|
const allowedTags = new Set(['strong', 'b', 'em', 'i', 'u', 'br', 'a']);
|
|
192
201
|
const dangerousTags = new Set(['script', 'style', 'iframe', 'object', 'embed', 'svg']);
|
|
193
202
|
const eventHandlers = /^on[a-z]+$/i;
|
|
@@ -197,7 +206,7 @@ export const sanitize = (value) => {
|
|
|
197
206
|
return '';
|
|
198
207
|
// Handle text nodes
|
|
199
208
|
if (node.nodeName === '#text') {
|
|
200
|
-
return node.nodeValue || '';
|
|
209
|
+
return (node.nodeValue || '').replace(new RegExp(WHITESPACE_MARKER, 'g'), ' ');
|
|
201
210
|
}
|
|
202
211
|
// Handle comment nodes - remove them
|
|
203
212
|
if (node.nodeName === '#comment') {
|
|
@@ -260,5 +269,5 @@ export const sanitize = (value) => {
|
|
|
260
269
|
return '';
|
|
261
270
|
};
|
|
262
271
|
const sanitized = root.children ? root.children.map(processNode).join('') : '';
|
|
263
|
-
return decode(sanitized);
|
|
272
|
+
return decode(restoreWhitespace(sanitized));
|
|
264
273
|
};
|