sanitize-html
Advanced tools
Comparing version 1.18.5 to 1.19.0
@@ -283,2 +283,3 @@ 'use strict'; | ||
if (name === 'iframe' && a === 'src') { | ||
var allowed = true; | ||
try { | ||
@@ -288,13 +289,16 @@ // naughtyHref is in charge of whether protocol relative URLs | ||
parsed = url.parse(value, false, true); | ||
if (options.allowedIframeHostnames) { | ||
var whitelistedHostnames = options.allowedIframeHostnames.find(function (hostname) { | ||
var isRelativeUrl = parsed && parsed.host === null && parsed.protocol === null; | ||
if (isRelativeUrl) { | ||
// default value of allowIframeRelativeUrls is true unless allowIframeHostnames specified | ||
allowed = has(options, "allowIframeRelativeUrls") ? options.allowIframeRelativeUrls : !options.allowedIframeHostnames; | ||
} else if (options.allowedIframeHostnames) { | ||
allowed = options.allowedIframeHostnames.find(function (hostname) { | ||
return hostname === parsed.hostname; | ||
}); | ||
if (!whitelistedHostnames) { | ||
delete frame.attribs[a]; | ||
return; | ||
} | ||
} | ||
} catch (e) { | ||
// Unparseable iframe src | ||
allowed = false; | ||
} | ||
if (!allowed) { | ||
delete frame.attribs[a]; | ||
@@ -301,0 +305,0 @@ return; |
{ | ||
"name": "sanitize-html", | ||
"version": "1.18.5", | ||
"version": "1.19.0", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "main": "dist/index.js", |
@@ -331,2 +331,10 @@ # sanitize-html | ||
You may also specify whether or not to allow relative URLs as iframe sources. | ||
```javascript | ||
allowIframeRelativeUrls: true | ||
``` | ||
Note that if unspecified, relative URLs will be allowed by default if no hostname filter is provided but removed by default if a hostname filter is provided. | ||
**Remember that the `iframe` tag must be allowed as well as the `src` attribute.** | ||
@@ -484,2 +492,6 @@ | ||
1.19.0: | ||
* New `allowIframeRelativeUrls` option. It defaults to `true` unless `allowedIframeHostnames` is present, in which case it defaults to false, for backwards compatibility with existing behavior in both cases; however you can now set the option explicitly to allow both certain hostnames and relative URLs. Thanks to Rick Martin. | ||
1.18.5: | ||
@@ -486,0 +498,0 @@ |
@@ -243,2 +243,3 @@ var htmlparser = require('htmlparser2'); | ||
if (name === 'iframe' && a === 'src') { | ||
var allowed = true; | ||
try { | ||
@@ -248,13 +249,17 @@ // naughtyHref is in charge of whether protocol relative URLs | ||
parsed = url.parse(value, false, true); | ||
if (options.allowedIframeHostnames) { | ||
var whitelistedHostnames = options.allowedIframeHostnames.find(function(hostname) { | ||
var isRelativeUrl = parsed && parsed.host === null && parsed.protocol === null; | ||
if (isRelativeUrl) { | ||
// default value of allowIframeRelativeUrls is true unless allowIframeHostnames specified | ||
allowed = has(options, "allowIframeRelativeUrls") ? | ||
options.allowIframeRelativeUrls : !options.allowedIframeHostnames; | ||
} else if (options.allowedIframeHostnames) { | ||
allowed = options.allowedIframeHostnames.find(function (hostname) { | ||
return hostname === parsed.hostname; | ||
}); | ||
if (!whitelistedHostnames) { | ||
delete frame.attribs[a]; | ||
return; | ||
} | ||
} | ||
} catch (e) { | ||
// Unparseable iframe src | ||
allowed = false; | ||
} | ||
if (!allowed) { | ||
delete frame.attribs[a]; | ||
@@ -261,0 +266,0 @@ return; |
@@ -659,3 +659,3 @@ var assert = require("assert"); | ||
}); | ||
it('Should remove iframe src urls that are not inlcuded in whitelisted hostnames', function() { | ||
it('Should remove iframe src urls that are not included in whitelisted hostnames', function() { | ||
assert.equal( | ||
@@ -686,3 +686,3 @@ sanitizeHtml('<iframe src="https://www.embed.vevo.com/USUV71704255"></iframe>', { | ||
}); | ||
it('Should allow relative URLs for iframes', function() { | ||
it('Should allow relative URLs for iframes by default', function() { | ||
assert.equal( | ||
@@ -695,2 +695,39 @@ sanitizeHtml('<iframe src="/foo"></iframe>', { | ||
}); | ||
it('Should allow relative URLs for iframes', function() { | ||
assert.equal( | ||
sanitizeHtml('<iframe src="/foo"></iframe>', { | ||
allowedTags: ['p', 'iframe', 'a', 'img', 'i'], | ||
allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']}, | ||
allowIframeRelativeUrls: true, | ||
}), '<iframe src="/foo"></iframe>' | ||
); | ||
}); | ||
it('Should remove relative URLs for iframes', function() { | ||
assert.equal( | ||
sanitizeHtml('<iframe src="/foo"></iframe>', { | ||
allowedTags: ['p', 'iframe', 'a', 'img', 'i'], | ||
allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']}, | ||
allowIframeRelativeUrls: false, | ||
}), '<iframe></iframe>' | ||
); | ||
}); | ||
it('Should remove relative URLs for iframes when whitelisted hostnames specified', function() { | ||
assert.equal( | ||
sanitizeHtml('<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>', { | ||
allowedTags: ['p', 'iframe', 'a', 'img', 'i'], | ||
allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']}, | ||
allowedIframeHostnames: ['www.youtube.com'] | ||
}), '<iframe></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>' | ||
); | ||
}); | ||
it('Should allow relative and whitelisted hostname URLs for iframes', function() { | ||
assert.equal( | ||
sanitizeHtml('<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>', { | ||
allowedTags: ['p', 'iframe', 'a', 'img', 'i'], | ||
allowedAttributes: {'iframe': ['src', 'href'], 'a': ['src', 'href'], 'img': ['src']}, | ||
allowIframeRelativeUrls: true, | ||
allowedIframeHostnames: ['www.youtube.com'] | ||
}), '<iframe src="/foo"></iframe><iframe src="https://www.youtube.com/embed/c2IlcS7AHxM"></iframe>' | ||
); | ||
}); | ||
it('Should allow protocol-relative URLs for the right domain for iframes', function() { | ||
@@ -697,0 +734,0 @@ assert.equal( |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1262227
24674
656