sanitize-html - npm Package Compare versions

Comparing version 2.3.3 to 2.4.0

CHANGELOG.md

 # Changelog
 
+## 2.4.0 (2021-05-19):
+- Added support for class names with wildcards in `allowedClasses`. Thanks to [zhangbenber](https://github.com/zhangbenber) for the contribution.
+
 ## 2.3.3 (2021-03-19):
@@ -4,0 +7,0 @@ - Security fix: `allowedSchemes` and related options did not properly block schemes containing a hyphen, plus sign, period or digit, such as `ms-calculator:`. Thanks to Lukas Euler for pointing out the issue.

index.js

@@ -149,6 +149,9 @@ const htmlparser = require('htmlparser2');
       });
-      allowedAttributesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$');
+      if (globRegex.length) {
+        allowedAttributesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$');
+      }
     });
   }
   const allowedClassesMap = {};
+  const allowedClassesGlobMap = {};
   each(options.allowedClasses, function(classes, tag) {
@@ -163,3 +166,14 @@ // Implicitly allows the class attribute
 
-    allowedClassesMap[tag] = classes;
+    allowedClassesMap[tag] = [];
+    const globRegex = [];
+    classes.forEach(function(obj) {
+      if (typeof obj === 'string' && obj.indexOf('*') >= 0) {
+        globRegex.push(escapeStringRegexp(obj).replace(/\\\*/g, '.*'));
+      } else {
+        allowedClassesMap[tag].push(obj);
+      }
+    });
+    if (globRegex.length) {
+      allowedClassesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$');
+    }
   });
@@ -384,6 +398,13 @@
               const allowedWildcardClasses = allowedClassesMap['*'];
+              const allowedSpecificClassesGlob = allowedClassesGlobMap[name];
+              const allowedWildcardClassesGlob = allowedClassesGlobMap['*'];
+              const allowedClassesGlobs = [ allowedSpecificClassesGlob, allowedWildcardClassesGlob ].filter(
+                function(t) {
+                  return t;
+                }
+              );
               if (allowedSpecificClasses && allowedWildcardClasses) {
-                value = filterClasses(value, deepmerge(allowedSpecificClasses, allowedWildcardClasses));
+                value = filterClasses(value, deepmerge(allowedSpecificClasses, allowedWildcardClasses), allowedClassesGlobs);
               } else {
-                value = filterClasses(value, allowedSpecificClasses || allowedWildcardClasses);
+                value = filterClasses(value, allowedSpecificClasses || allowedWildcardClasses, allowedClassesGlobs);
               }
@@ -675,3 +696,3 @@ if (!value.length) {
 
-  function filterClasses(classes, allowed) {
+  function filterClasses(classes, allowed, allowedGlobs) {
     if (!allowed) {
@@ -683,3 +704,5 @@ // The class attribute is allowed without filtering on this tag
     return classes.filter(function(clss) {
-      return allowed.indexOf(clss) !== -1;
+      return allowed.indexOf(clss) !== -1 || allowedGlobs.some(function(glob) {
+        return glob.test(clss);
+      });
     }).join(' ');
@@ -686,0 +709,0 @@ }

package.json

 {
   "name": "sanitize-html",
-  "version": "2.3.3",
+  "version": "2.4.0",
   "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
@@ -5,0 +5,0 @@ "sideEffects": false,

README.md

@@ -29,6 +29,16 @@ # sanitize-html
 
-### Regarding Typescript
+### Regarding TypeScript
 
-sanitize-html is not written in Typescript and there is no plan to directly support it. There is a community supported implementation, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however. Any questions or problems while using that implementation should be directed to its maintainers as directed by that project's contribution guidelines.
+sanitize-html is not written in TypeScript and there is no plan to directly support it. There is a community supported typing definition, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however.
+```bash 
+npm install -D @types/sanitize-html
+```
+If `esModuleInterop=true` is not set in your `tsconfig.json` file, you have to import it with:
 
+```javascript
+import * as sanitizeHtml from 'sanitize-html';
+```
+
+Any questions or problems while using `@types/sanitize-html` should be directed to its maintainers as directed by that project's contribution guidelines.
+
 ## How to use
@@ -42,8 +52,11 @@
 
-* Clone repository and install via npm
-* Run npm install and:
+* Install the package:
 
 ```bash
-npm install sanitize-html # yarn add sanitize-html
+npm install sanitize-html 
 ```
+or
+```
+yarn add sanitize-html
+```
 
@@ -74,3 +87,3 @@ The primary change in the 2.x version of sanitize-html is that it no longer includes a build that is ready for browser use. Developers are expected to include sanitize-html in their project builds (e.g., webpack) as they would any other dependency. So while sanitize-html is no longer ready to link to directly in HTML, developers can now more easily process it according to their needs.
 
-```bash
+```js
 // In ES modules
@@ -230,5 +243,6 @@ import sanitizeHtml from 'sanitize-html';
 
-Similar to `allowedAttributes`, you can use `*` as a tag name, to allow listed classes to be valid for any tag:
+Similar to `allowedAttributes`, you can use `*` to allow classes with a certain prefix, or use `*` as a tag name to allow listed classes to be valid for any tag:
 ```js
 allowedClasses: {
+  'code': [ 'language-*', 'lang-*' ],
   '*': [ 'fancy', 'simple' ]
@@ -235,0 +249,0 @@ }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

71095

increased by2%

Lines of code

711

increased by3.34%

Number of lines in readme file

607

increased by2.36%

No dependency changes