sanitize-html
Advanced tools
Comparing version 2.3.3 to 2.4.0
# Changelog | ||
## 2.4.0 (2021-05-19): | ||
- Added support for class names with wildcards in `allowedClasses`. Thanks to [zhangbenber](https://github.com/zhangbenber) for the contribution. | ||
## 2.3.3 (2021-03-19): | ||
@@ -4,0 +7,0 @@ - Security fix: `allowedSchemes` and related options did not properly block schemes containing a hyphen, plus sign, period or digit, such as `ms-calculator:`. Thanks to Lukas Euler for pointing out the issue. |
35
index.js
@@ -149,6 +149,9 @@ const htmlparser = require('htmlparser2'); | ||
}); | ||
allowedAttributesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$'); | ||
if (globRegex.length) { | ||
allowedAttributesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$'); | ||
} | ||
}); | ||
} | ||
const allowedClassesMap = {}; | ||
const allowedClassesGlobMap = {}; | ||
each(options.allowedClasses, function(classes, tag) { | ||
@@ -163,3 +166,14 @@ // Implicitly allows the class attribute | ||
allowedClassesMap[tag] = classes; | ||
allowedClassesMap[tag] = []; | ||
const globRegex = []; | ||
classes.forEach(function(obj) { | ||
if (typeof obj === 'string' && obj.indexOf('*') >= 0) { | ||
globRegex.push(escapeStringRegexp(obj).replace(/\\\*/g, '.*')); | ||
} else { | ||
allowedClassesMap[tag].push(obj); | ||
} | ||
}); | ||
if (globRegex.length) { | ||
allowedClassesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$'); | ||
} | ||
}); | ||
@@ -384,6 +398,13 @@ | ||
const allowedWildcardClasses = allowedClassesMap['*']; | ||
const allowedSpecificClassesGlob = allowedClassesGlobMap[name]; | ||
const allowedWildcardClassesGlob = allowedClassesGlobMap['*']; | ||
const allowedClassesGlobs = [ allowedSpecificClassesGlob, allowedWildcardClassesGlob ].filter( | ||
function(t) { | ||
return t; | ||
} | ||
); | ||
if (allowedSpecificClasses && allowedWildcardClasses) { | ||
value = filterClasses(value, deepmerge(allowedSpecificClasses, allowedWildcardClasses)); | ||
value = filterClasses(value, deepmerge(allowedSpecificClasses, allowedWildcardClasses), allowedClassesGlobs); | ||
} else { | ||
value = filterClasses(value, allowedSpecificClasses || allowedWildcardClasses); | ||
value = filterClasses(value, allowedSpecificClasses || allowedWildcardClasses, allowedClassesGlobs); | ||
} | ||
@@ -675,3 +696,3 @@ if (!value.length) { | ||
function filterClasses(classes, allowed) { | ||
function filterClasses(classes, allowed, allowedGlobs) { | ||
if (!allowed) { | ||
@@ -683,3 +704,5 @@ // The class attribute is allowed without filtering on this tag | ||
return classes.filter(function(clss) { | ||
return allowed.indexOf(clss) !== -1; | ||
return allowed.indexOf(clss) !== -1 || allowedGlobs.some(function(glob) { | ||
return glob.test(clss); | ||
}); | ||
}).join(' '); | ||
@@ -686,0 +709,0 @@ } |
{ | ||
"name": "sanitize-html", | ||
"version": "2.3.3", | ||
"version": "2.4.0", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
@@ -29,6 +29,16 @@ # sanitize-html | ||
### Regarding Typescript | ||
### Regarding TypeScript | ||
sanitize-html is not written in Typescript and there is no plan to directly support it. There is a community supported implementation, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however. Any questions or problems while using that implementation should be directed to its maintainers as directed by that project's contribution guidelines. | ||
sanitize-html is not written in TypeScript and there is no plan to directly support it. There is a community supported typing definition, [`@types/sanitize-html`](https://www.npmjs.com/package/@types/sanitize-html), however. | ||
```bash | ||
npm install -D @types/sanitize-html | ||
``` | ||
If `esModuleInterop=true` is not set in your `tsconfig.json` file, you have to import it with: | ||
```javascript | ||
import * as sanitizeHtml from 'sanitize-html'; | ||
``` | ||
Any questions or problems while using `@types/sanitize-html` should be directed to its maintainers as directed by that project's contribution guidelines. | ||
## How to use | ||
@@ -42,8 +52,11 @@ | ||
* Clone repository and install via npm | ||
* Run npm install and: | ||
* Install the package: | ||
```bash | ||
npm install sanitize-html # yarn add sanitize-html | ||
npm install sanitize-html | ||
``` | ||
or | ||
``` | ||
yarn add sanitize-html | ||
``` | ||
@@ -74,3 +87,3 @@ The primary change in the 2.x version of sanitize-html is that it no longer includes a build that is ready for browser use. Developers are expected to include sanitize-html in their project builds (e.g., webpack) as they would any other dependency. So while sanitize-html is no longer ready to link to directly in HTML, developers can now more easily process it according to their needs. | ||
```bash | ||
```js | ||
// In ES modules | ||
@@ -230,5 +243,6 @@ import sanitizeHtml from 'sanitize-html'; | ||
Similar to `allowedAttributes`, you can use `*` as a tag name, to allow listed classes to be valid for any tag: | ||
Similar to `allowedAttributes`, you can use `*` to allow classes with a certain prefix, or use `*` as a tag name to allow listed classes to be valid for any tag: | ||
```js | ||
allowedClasses: { | ||
'code': [ 'language-*', 'lang-*' ], | ||
'*': [ 'fancy', 'simple' ] | ||
@@ -235,0 +249,0 @@ } |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
71095
711
607