sanitize-html - npm Package Compare versions

Comparing version 2.7.0 to 2.7.1

index.js

@@ -290,3 +290,2 @@ const htmlparser = require('htmlparser2');
           }
-          let parsed;
           // check allowedAttributesMap for the element and attribute and modify the value
@@ -339,10 +338,10 @@ // as necessary if there are specific values defined.
               try {
-                const parsed = new URL(value);
+                const parsed = parseUrl(value);
 
                 if (options.allowedScriptHostnames || options.allowedScriptDomains) {
                   const allowedHostname = (options.allowedScriptHostnames || []).find(function (hostname) {
-                    return hostname === parsed.hostname;
+                    return hostname === parsed.url.hostname;
                   });
                   const allowedDomain = (options.allowedScriptDomains || []).find(function(domain) {
-                    return parsed.hostname === domain || parsed.hostname.endsWith(`.${domain}`);
+                    return parsed.url.hostname === domain || parsed.url.hostname.endsWith(`.${domain}`);
                   });
@@ -364,25 +363,5 @@ allowed = allowedHostname || allowedDomain;
               try {
-                // Chrome accepts \ as a substitute for / in the // at the
-                // start of a URL, so rewrite accordingly to prevent exploit.
-                // Also drop any whitespace at that point in the URL
-                value = value.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, '$1//');
-                if (value.startsWith('relative:')) {
-                  // An attempt to exploit our workaround for base URLs being
-                  // mandatory for relative URL validation in the WHATWG
-                  // URL parser, reject it
-                  throw new Error('relative: exploit attempt');
-                }
-                // naughtyHref is in charge of whether protocol relative URLs
-                // are cool. Here we are concerned just with allowed hostnames and
-                // whether to allow relative URLs.
-                //
-                // Build a placeholder "base URL" against which any reasonable
-                // relative URL may be parsed successfully
-                let base = 'relative://relative-site';
-                for (let i = 0; (i < 100); i++) {
-                  base += `/${i}`;
-                }
-                const parsed = new URL(value, base);
-                const isRelativeUrl = parsed && parsed.hostname === 'relative-site' && parsed.protocol === 'relative:';
-                if (isRelativeUrl) {
+                const parsed = parseUrl(value);
+
+                if (parsed.isRelativeUrl) {
                   // default value of allowIframeRelativeUrls is true
@@ -395,6 +374,6 @@ // unless allowedIframeHostnames or allowedIframeDomains specified
                   const allowedHostname = (options.allowedIframeHostnames || []).find(function (hostname) {
-                    return hostname === parsed.hostname;
+                    return hostname === parsed.url.hostname;
                   });
                   const allowedDomain = (options.allowedIframeDomains || []).find(function(domain) {
-                    return parsed.hostname === domain || parsed.hostname.endsWith(`.${domain}`);
+                    return parsed.url.hostname === domain || parsed.url.hostname.endsWith(`.${domain}`);
                   });
@@ -414,3 +393,3 @@ allowed = allowedHostname || allowedDomain;
               try {
-                parsed = parseSrcset(value);
+                let parsed = parseSrcset(value);
                 parsed.forEach(function(value) {
@@ -641,3 +620,13 @@ if (naughtyHref('srcset', value.url)) {
     // a javascript: URL to be snuck through
-    href = href.replace(/<!--.*?-->/g, '');
+    while (true) {
+      const firstIndex = href.indexOf('<!--');
+      if (firstIndex === -1) {
+        break;
+      }
+      const lastIndex = href.indexOf('-->', firstIndex + 4);
+      if (lastIndex === -1) {
+        break;
+      }
+      href = href.substring(0, firstIndex) + href.substring(lastIndex + 3);
+    }
     // Case insensitive so we don't get faked out by JAVASCRIPT #1
@@ -665,2 +654,29 @@ // Allow more characters after the first so we don't get faked
 
+  function parseUrl(value) {
+    value = value.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, '$1//');
+    if (value.startsWith('relative:')) {
+      // An attempt to exploit our workaround for base URLs being
+      // mandatory for relative URL validation in the WHATWG
+      // URL parser, reject it
+      throw new Error('relative: exploit attempt');
+    }
+    // naughtyHref is in charge of whether protocol relative URLs
+    // are cool. Here we are concerned just with allowed hostnames and
+    // whether to allow relative URLs.
+    //
+    // Build a placeholder "base URL" against which any reasonable
+    // relative URL may be parsed successfully
+    let base = 'relative://relative-site';
+    for (let i = 0; (i < 100); i++) {
+      base += `/${i}`;
+    }
+
+    const parsed = new URL(value, base);
+
+    const isRelativeUrl = parsed && parsed.hostname === 'relative-site' && parsed.protocol === 'relative:';
+    return {
+      isRelativeUrl,
+      url: parsed
+    };
+  }
   /**
@@ -667,0 +683,0 @@ * Filters user input css properties by allowlisted regex attributes.

package.json

 {
   "name": "sanitize-html",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
@@ -5,0 +5,0 @@ "sideEffects": false,

README.md

@@ -180,5 +180,5 @@ # sanitize-html
 
-If you set `disallowedTagsMode` to `discard` (the default), disallowed tags are discarded. Any text content or subtags is still included, depending on whether the individual subtags are allowed.
+If you set `disallowedTagsMode` to `discard` (the default), disallowed tags are discarded. Any text content or subtags are still included, depending on whether the individual subtags are allowed.
 
-If you set `disallowedTagsMode` to `escape`, the disallowed tags are escaped rather than discarded. Any text or subtags is handled normally.
+If you set `disallowedTagsMode` to `escape`, the disallowed tags are escaped rather than discarded. Any text or subtags are handled normally.
 
@@ -293,3 +293,3 @@ If you set `disallowedTagsMode` to `recursiveEscape`, the disallowed tags are escaped rather than discarded, and the same treatment is applied to all subtags, whether otherwise allowed or not.
 
-Some text editing applications generate HTML to allow copying over to a web application. These can sometimes include undesireable control characters after terminating `html` tag. By default sanitize-html will not discard these characters, instead returning them in sanitized string. This behaviour can be modified using `enforceHtmlBoundary` option.
+Some text editing applications generate HTML to allow copying over to a web application. These can sometimes include undesirable control characters after terminating `html` tag. By default sanitize-html will not discard these characters, instead returning them in sanitized string. This behaviour can be modified using `enforceHtmlBoundary` option.
 
@@ -296,0 +296,0 @@ Setting this option to true will instruct sanitize-html to discard all characters outside of `html` tag boundaries -- before `<html>` and after `</html>` tags.

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Lines of code

760

increased by1.74%

Worsened metrics

Total package byte prevSize

52805

decreased by-30.17%

Number of package files

4

decreased by-20%

No dependency changes