marky-markdown
Advanced tools
Comparing version 11.3.2 to 12.0.0
@@ -5,2 +5,17 @@ # Change Log | ||
<a name="12.0.0"></a> | ||
# [12.0.0](https://github.com/npm/marky-markdown/compare/v11.3.2...v12.0.0) (2018-01-17) | ||
### Features | ||
* add rel=nofollow to links if the `nofollow` option is set ([#426](https://github.com/npm/marky-markdown/issues/426)) ([bb36977](https://github.com/npm/marky-markdown/commit/bb36977)) | ||
### BREAKING CHANGES | ||
* links now default to having rel=nofollow set | ||
<a name="11.3.2"></a> | ||
@@ -7,0 +22,0 @@ ## [11.3.2](https://github.com/npm/marky-markdown/compare/v11.3.1...v11.3.2) (2017-09-28) |
@@ -9,2 +9,3 @@ var defaults = require('lodash.defaults') | ||
sanitize: true, | ||
nofollow: true, | ||
linkify: true, | ||
@@ -66,3 +67,3 @@ highlightSyntax: true, | ||
marky.parsePackageDescription = function (description) { | ||
return sanitize(render.renderPackageDescription(description)) | ||
return sanitize(render.renderPackageDescription(description), defaultOptions) | ||
} | ||
@@ -78,3 +79,3 @@ | ||
parser.render = function (markdown) { | ||
return sanitize(originalRender.call(parser, markdown)) | ||
return sanitize(originalRender.call(parser, markdown), options) | ||
} | ||
@@ -81,0 +82,0 @@ } |
@@ -25,2 +25,3 @@ var pickBy = require('lodash.pickby') | ||
var looseImageParsing = require('./gfm/image') | ||
var relNoFollow = require('./plugin/nofollow') | ||
@@ -92,2 +93,6 @@ if (typeof process.browser === 'undefined') { | ||
if (options.nofollow) { | ||
parser.use(relNoFollow) | ||
} | ||
if (options.highlightSyntax) { | ||
@@ -94,0 +99,0 @@ parser.use(codeWrap) |
@@ -9,3 +9,4 @@ var sanitizeHtml = require('sanitize-html') | ||
'td': sanitizeCellStyle, | ||
'th': sanitizeCellStyle | ||
'th': sanitizeCellStyle, | ||
'a': getNofollowSanitize(options) | ||
} | ||
@@ -70,3 +71,3 @@ }) | ||
h6: ['id', 'align'], | ||
a: ['href', 'id', 'name', 'target', 'title', 'aria-hidden'], | ||
a: ['href', 'id', 'name', 'target', 'title', 'aria-hidden', 'rel'], | ||
img: ['alt', 'id', 'src', 'width', 'height', 'align', 'valign', 'title', 'style'], | ||
@@ -102,3 +103,4 @@ p: ['align'], | ||
'td': sanitizeCellStyle, | ||
'th': sanitizeCellStyle | ||
'th': sanitizeCellStyle, | ||
'a': getNofollowSanitize(options) | ||
} | ||
@@ -108,2 +110,20 @@ } | ||
function getNofollowSanitize (options) { | ||
return options.nofollow ? sanitizeAnchorNofollow : sanitizeIdentity | ||
} | ||
function sanitizeIdentity (tagName, attribs) { | ||
return { | ||
tagName: tagName, | ||
attribs: attribs | ||
} | ||
} | ||
function sanitizeAnchorNofollow (tagName, attribs) { | ||
if (attribs.href) { | ||
attribs.rel = 'nofollow' | ||
} | ||
return sanitizeIdentity(tagName, attribs) | ||
} | ||
// Allow table cell alignment | ||
@@ -110,0 +130,0 @@ function sanitizeCellStyle (tagName, attribs) { |
@@ -1,1 +0,1 @@ | ||
{"version":"11.3.2","repositoryUrl":"https://github.com/npm/marky-markdown","issuesUrl":"https://github.com/npm/marky-markdown/issues"} | ||
{"version":"12.0.0","repositoryUrl":"https://github.com/npm/marky-markdown","issuesUrl":"https://github.com/npm/marky-markdown/issues"} |
{ | ||
"name": "marky-markdown", | ||
"version": "11.3.2", | ||
"version": "12.0.0", | ||
"description": "npm's markdown parser", | ||
@@ -70,3 +70,3 @@ "main": "index.js", | ||
"property-ttl": "^1.0.0", | ||
"sanitize-html": "^1.14.1", | ||
"sanitize-html": "^1.17.0", | ||
"similarity": "^1.0.1" | ||
@@ -73,0 +73,0 @@ }, |
@@ -71,2 +71,3 @@ # marky-markdown | ||
sanitize: true, // remove script tags and stuff | ||
nofollow: true, // add rel=nofollow to all links | ||
linkify: true, // turn orphan URLs into hyperlinks | ||
@@ -73,0 +74,0 @@ highlightSyntax: true, // run highlights on fenced code blocks |
Sorry, the diff of this file is too big to display
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
1333322
36496
222
3
0
29
Updatedsanitize-html@^1.17.0