sanitize-html - npm Package Compare versions

Comparing version 1.18.2 to 1.18.3

dist/index.js

@@ -283,9 +283,6 @@ 'use strict';
             if (name === 'iframe' && a === 'src') {
-              //Check if value contains proper hostname prefix
-              if (value.substring(0, 2) === '//') {
-                var prefix = 'https:';
-                value = prefix.concat(value);
-              }
               try {
-                parsed = url.parse(value);
+                // naughtyHref is in charge of whether protocol relative URLs
+                // are cool. We should just accept them
+                parsed = url.parse(value, false, true);
                 if (options.allowedIframeHostnames) {
@@ -292,0 +289,0 @@ var whitelistedHostnames = options.allowedIframeHostnames.find(function (hostname) {

package.json

 {
   "name": "sanitize-html",
-  "version": "1.18.2",
+  "version": "1.18.3",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
   "main": "dist/index.js",
+  "browser": "dist/sanitize-html.js",
   "scripts": {
@@ -7,0 +8,0 @@ "prepare": "true",

README.md

@@ -17,3 +17,3 @@ # sanitize-html
 
-Allowing particular urls as a `src` to an iframe tag by filtering hostnames is also supported. 
+Allowing particular urls as a `src` to an iframe tag by filtering hostnames is also supported.
 
@@ -110,3 +110,3 @@ HTML comments are not preserved.
   'nl', 'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
-  'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ],
+  'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'iframe' ],
 allowedAttributes: {
@@ -153,3 +153,3 @@ a: [ 'href', 'name', 'target' ],
         allowedAttributes: {
-          iframe: [ 
+          iframe: [
             {
@@ -324,7 +324,7 @@ name: 'sandbox',
 
-If you would like to allow iframe tags but want to control the domains that are allowed through you can provide an array of hostnames that you would like to allow as iframe sources. This hostname is a property in the options object passed as an argument to the `sanitize-html` function. 
+If you would like to allow iframe tags but want to control the domains that are allowed through you can provide an array of hostnames that you would like to allow as iframe sources. This hostname is a property in the options object passed as an argument to the `sanitize-html` function.
 
-This array will be checked against the html that is passed to the function and return only `src` urls that include the allowed hostnames in the object. The url in the html that is passed must be formatted correctly (valid hostname) as an embedded iframe otherwise the module will strip out the src from the iframe. 
+This array will be checked against the html that is passed to the function and return only `src` urls that include the allowed hostnames in the object. The url in the html that is passed must be formatted correctly (valid hostname) as an embedded iframe otherwise the module will strip out the src from the iframe.
 
-Make sure to pass a valid hostname along with the domain you wish to allow, i.e.: 
+Make sure to pass a valid hostname along with the domain you wish to allow, i.e.:
 
@@ -344,2 +344,4 @@ ```javascript
     'p': [ 'fancy', 'simple' ],
+  },
+  allowedAttributes: {
     'iframe': ['src']
@@ -358,2 +360,4 @@ },
     'p': [ 'fancy', 'simple' ],
+  },
+  allowedAttributes: {
     'iframe': ['src']
@@ -365,3 +369,3 @@ },
 
-or 
+or
 
@@ -373,2 +377,4 @@ ```javascript
     'p': [ 'fancy', 'simple' ],
+  },
+  allowedAttributes: {
     'iframe': ['src']
@@ -420,3 +426,3 @@ },
             // Match any number with px, em, or %
-            'font-size': [/^\d+$[px|em|\%]$/]
+            'font-size': [/^\d+(?:px|em|%)$/]
           },
@@ -486,2 +492,9 @@ 'p': {
 
+1.18.3:
+
+* `iframe` is an allowed tag by default, to better facilitate typical use cases and the use of the `allowedIframeHostnames` option.
+* Documentation improvements.
+* More browser packaging improvements.
+* Protocol-relative URLs are properly supported for iframe tags.
+
 1.18.2:
@@ -488,0 +501,0 @@

src/index.js

@@ -243,9 +243,6 @@ var htmlparser = require('htmlparser2');
             if (name === 'iframe' && a === 'src') {
-              //Check if value contains proper hostname prefix
-              if (value.substring(0, 2) === '//') {
-                var prefix = 'https:';
-                value = prefix.concat(value);            
-              }
               try {
-                parsed = url.parse(value);
+                // naughtyHref is in charge of whether protocol relative URLs
+                // are cool. We should just accept them
+                parsed = url.parse(value, false, true);
                 if (options.allowedIframeHostnames) {
@@ -252,0 +249,0 @@ var whitelistedHostnames = options.allowedIframeHostnames.find(function(hostname) {

test/test.js

@@ -650,3 +650,3 @@ var assert = require("assert");
   });
-  it('Should allow only hostnames in an iframe that are whitelisted', function() {
+  it('Should allow hostnames in an iframe that are whitelisted', function() {
     assert.equal(
@@ -671,3 +671,3 @@ sanitizeHtml('<iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>', {
     assert.equal(
-      sanitizeHtml('<iframe src="//www.vimeo.com/embed/c2IlcS7AHxM"></iframe>', {
+      sanitizeHtml('<iframe src="https://www.vimeo.com/embed/c2IlcS7AHxM"></iframe>', {
         allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
@@ -687,2 +687,28 @@ allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
   });
+  it('Should allow relative URLs for iframes', function() {
+    assert.equal(
+      sanitizeHtml('<iframe src="/foo"></iframe>', {
+        allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
+        allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']}
+      }), '<iframe src="/foo"></iframe>'
+    );
+  });
+  it('Should allow protocol-relative URLs for the right domain for iframes', function() {
+    assert.equal(
+      sanitizeHtml('<iframe src="//www.youtube.com/embed/c2IlcS7AHxM"></iframe>', {
+        allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
+        allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
+        allowedIframeHostnames: ['www.youtube.com', 'player.vimeo.com']
+      }), '<iframe src="//www.youtube.com/embed/c2IlcS7AHxM"></iframe>'
+    );
+  });
+  it('Should not allow protocol-relative iframe urls that do not have proper hostname', function() {
+    assert.equal(
+      sanitizeHtml('<iframe src="//www.vimeo.com/embed/c2IlcS7AHxM"></iframe>', {
+        allowedTags: ['p', 'iframe', 'a', 'img', 'i'],
+        allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']},
+        allowedIframeHostnames: ['www.youtube.com', 'player.vimeo.com']
+      }), '<iframe></iframe>'
+    );
+  });
   it('Should only allow attributes to have any combination of specific values', function() {
@@ -689,0 +715,0 @@ assert.equal(

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Minified code

Quality

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

Found 2 instances in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Network access

Supply chain risk

This module accesses the network.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Minified code

Quality

This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.

Found 1 instance in 1 package

Improved metrics

Number of lines in readme file

636

increased by2.09%

Number of low supply chain risk alerts

4

decreased by-50%

Number of medium supply chain risk alerts

1

decreased by-95%

Worsened metrics

Total package byte prevSize

109538

decreased by-91.28%

Lines of code

1860

decreased by-92.44%

Number of low quality alerts

3

increased by50%

No dependency changes