sanitize-html - npm Package Compare versions

Comparing version 2.3.0 to 2.3.1

CHANGELOG.md

 # Changelog
 
+## 2.3.1 (2021-01-22):
+- Uses the standard WHATWG URL parser to stop IDNA (Internationalized Domain Name) attacks on the iframe hostname validator. Thanks to Ron Masas of Checkmarx for pointing out the issue and suggesting the use of the WHATWG parser.
+
 ## 2.3.0 (2020-12-16):
@@ -4,0 +7,0 @@ - Upgrades `htmlparser2` to new major version `^6.0.0`. Thanks to [Bogdan Chadkin](https://github.com/TrySound) for the contribution.

index.js

@@ -8,3 +8,2 @@ const htmlparser = require('htmlparser2');
 const { parse: postcssParse } = require('postcss');
-const url = require('url');
 // Tags that can conceivably represent stand-alone media.
@@ -309,8 +308,20 @@ const mediaTags = [
               try {
+                if (value.startsWith('relative:')) {
+                  // An attempt to exploit our workaround for base URLs being
+                  // mandatory for relative URL validation in the WHATWG
+                  // URL parser, reject it
+                  throw new Error('relative: exploit attempt');
+                }
                 // naughtyHref is in charge of whether protocol relative URLs
-                // are cool. We should just accept them
-                // TODO: Replace deprecated `url.parse`
-                // eslint-disable-next-line node/no-deprecated-api
-                parsed = url.parse(value, false, true);
-                const isRelativeUrl = parsed && parsed.host === null && parsed.protocol === null;
+                // are cool. Here we are concerned just with allowed hostnames and
+                // whether to allow relative URLs.
+                //
+                // Build a placeholder "base URL" against which any reasonable
+                // relative URL may be parsed successfully
+                let base = 'relative://relative-site';
+                for (let i = 0; (i < 100); i++) {
+                  base += `/${i}`;
+                }
+                const parsed = new URL(value, base);
+                const isRelativeUrl = parsed && parsed.hostname === 'relative-site' && parsed.protocol === 'relative:';
                 if (isRelativeUrl) {
@@ -317,0 +328,0 @@ // default value of allowIframeRelativeUrls is true

package.json

 {
   "name": "sanitize-html",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
@@ -5,0 +5,0 @@ "sideEffects": false,

README.md

@@ -27,3 +27,3 @@ # sanitize-html
 
-sanitize-html is intended for use with Node. That's pretty much it. All of its npm dependencies are pure JavaScript. sanitize-html is built on the excellent `htmlparser2` module.
+sanitize-html is intended for use with Node.js and supports Node 10+. All of its npm dependencies are pure JavaScript. sanitize-html is built on the excellent `htmlparser2` module.
 
@@ -30,0 +30,0 @@ ### Regarding Typescript

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

68053

increased by1.26%

Lines of code

682

increased by1.64%

No dependency changes