sanitized 1.1.4 → 1.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -8
- package/index.js +23 -31
- package/package.json +4 -4
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# sanitized
|
|
2
2
|
|
|
3
|
-
sanitized() is a recursive function that'll sanitize a string or ALL strings in
|
|
3
|
+
sanitized() is a recursive function that'll sanitize a string or ALL strings in a json input. It's great for sanitizing form data before it gets submitted to the back-end (re: protection against XSS attacks).
|
|
4
4
|
|
|
5
5
|
It accepts two params the first being the value to sanitize, and the second being options to pass to [DOMPurify](https://www.npmjs.com/package/dompurify).
|
|
6
6
|
|
|
@@ -18,13 +18,13 @@ const sanitized = require("sanitized");
|
|
|
18
18
|
// import sanitized from "sanitized"
|
|
19
19
|
|
|
20
20
|
const test = [
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
21
|
+
"<svg><g/onload=alert(2)//<p>",
|
|
22
|
+
{
|
|
23
|
+
name1: [
|
|
24
|
+
'<math><mi//xlink:href="data:x,<script>alert(4)</script>">',
|
|
25
|
+
{ name2: "<p>abc<iframe//src=jAva	script:alert(3)>def" },
|
|
26
|
+
],
|
|
27
|
+
},
|
|
28
28
|
];
|
|
29
29
|
|
|
30
30
|
sanitized(test);
|
package/index.js
CHANGED
|
@@ -1,50 +1,42 @@
|
|
|
1
1
|
const DOMPurify = require("dompurify");
|
|
2
|
-
const
|
|
2
|
+
const he = require("he");
|
|
3
3
|
|
|
4
4
|
let sanitizer = (dirty) => dirty;
|
|
5
5
|
|
|
6
6
|
if (DOMPurify.sanitize) {
|
|
7
|
-
sanitizer = (dirty, options) => decode(DOMPurify.sanitize(dirty, options));
|
|
7
|
+
sanitizer = (dirty, options) => he.decode(DOMPurify.sanitize(dirty, options));
|
|
8
8
|
} else {
|
|
9
9
|
try {
|
|
10
|
-
const
|
|
11
|
-
const
|
|
12
|
-
DOMPurifyWindow = DOMPurify(window);
|
|
10
|
+
const jsdom = require("jsdom");
|
|
11
|
+
const JSDOM = new jsdom.JSDOM("<!DOCTYPE html>");
|
|
12
|
+
const DOMPurifyWindow = DOMPurify(JSDOM.window);
|
|
13
13
|
sanitizer = (dirty, options) =>
|
|
14
|
-
decode(DOMPurifyWindow.sanitize(dirty, options));
|
|
14
|
+
he.decode(DOMPurifyWindow.sanitize(dirty, options));
|
|
15
15
|
} catch (error) {
|
|
16
|
-
console.error(
|
|
16
|
+
console.error(error);
|
|
17
17
|
}
|
|
18
18
|
}
|
|
19
19
|
|
|
20
|
-
function
|
|
20
|
+
function sanitized(dirty, DOMPurifyOptions, errorCallback) {
|
|
21
21
|
try {
|
|
22
|
-
|
|
23
|
-
return sanitizer(dirty, DOMPurifyOptions);
|
|
24
|
-
|
|
25
|
-
if (dirty && dirty.constructor === Array) {
|
|
26
|
-
let clone = [].concat(dirty);
|
|
27
|
-
for (let i = 0; i < clone.length; i++) {
|
|
28
|
-
clone[i] = handleDirtyValue(clone[i], DOMPurifyOptions);
|
|
29
|
-
}
|
|
30
|
-
return clone;
|
|
31
|
-
}
|
|
32
|
-
|
|
33
|
-
if (dirty && dirty.constructor === Object) {
|
|
34
|
-
let clone = JSON.parse(JSON.stringify(dirty));
|
|
35
|
-
let cloneKeys = Object.keys(clone);
|
|
36
|
-
for (let j = 0; j < cloneKeys.length; j++) {
|
|
37
|
-
const cloneKey = cloneKeys[j];
|
|
38
|
-
clone[cloneKey] = handleDirtyValue(clone[cloneKey], DOMPurifyOptions);
|
|
39
|
-
}
|
|
40
|
-
return clone;
|
|
41
|
-
}
|
|
22
|
+
let clone = JSON.parse(JSON.stringify(dirty));
|
|
42
23
|
|
|
43
|
-
|
|
24
|
+
if (typeof clone === "string") clone = sanitizer(clone, DOMPurifyOptions);
|
|
25
|
+
|
|
26
|
+
if (clone instanceof Array)
|
|
27
|
+
for (let i = 0; i < clone.length; i++)
|
|
28
|
+
clone[i] = sanitized(clone[i], DOMPurifyOptions);
|
|
29
|
+
|
|
30
|
+
if (clone instanceof Object)
|
|
31
|
+
for (let cloneKey of Object.keys(clone))
|
|
32
|
+
clone[cloneKey] = sanitized(clone[cloneKey], DOMPurifyOptions);
|
|
33
|
+
|
|
34
|
+
return clone;
|
|
44
35
|
} catch (err) {
|
|
45
|
-
if (
|
|
36
|
+
if (errorCallback) errorCallback(err);
|
|
37
|
+
|
|
46
38
|
return dirty;
|
|
47
39
|
}
|
|
48
40
|
}
|
|
49
41
|
|
|
50
|
-
module.exports =
|
|
42
|
+
module.exports = sanitized;
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "sanitized",
|
|
3
|
-
"version": "1.1.
|
|
4
|
-
"description": "Recursive function that'll sanitize a string or ALL strings in
|
|
3
|
+
"version": "1.1.7",
|
|
4
|
+
"description": "Recursive function that'll sanitize a string or ALL strings in a json input.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
7
7
|
"test": "echo \"Error: no test specified\" && exit 1"
|
|
@@ -22,8 +22,8 @@
|
|
|
22
22
|
},
|
|
23
23
|
"homepage": "https://github.com/nameer-rizvi/sanitized#readme",
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"dompurify": "^2.
|
|
25
|
+
"dompurify": "^2.3.6",
|
|
26
26
|
"he": "^1.2.0",
|
|
27
|
-
"jsdom": "^
|
|
27
|
+
"jsdom": "^19.0.0"
|
|
28
28
|
}
|
|
29
29
|
}
|