sanitized
Advanced tools
Comparing version 1.1.5 to 1.1.6
47
index.js
const DOMPurify = require("dompurify"); | ||
const { decode } = require("he"); | ||
const he = require("he"); | ||
@@ -7,10 +7,10 @@ let sanitizer = (dirty) => dirty; | ||
if (DOMPurify.sanitize) { | ||
sanitizer = (dirty, options) => decode(DOMPurify.sanitize(dirty, options)); | ||
sanitizer = (dirty, options) => he.decode(DOMPurify.sanitize(dirty, options)); | ||
} else { | ||
try { | ||
const { JSDOM } = require("jsdom"); | ||
const { window } = new JSDOM("<!DOCTYPE html>"); | ||
DOMPurifyWindow = DOMPurify(window); | ||
const jsdom = require("jsdom"); | ||
const JSDOM = new jsdom.JSDOM("<!DOCTYPE html>"); | ||
const DOMPurifyWindow = DOMPurify(JSDOM.window); | ||
sanitizer = (dirty, options) => | ||
decode(DOMPurifyWindow.sanitize(dirty, options)); | ||
he.decode(DOMPurifyWindow.sanitize(dirty, options)); | ||
} catch (error) { | ||
@@ -21,30 +21,19 @@ console.error(error); | ||
function sanitize(dirty, DOMPurifyOptions, callback) { | ||
function sanitized(dirty, DOMPurifyOptions, errorHandler) { | ||
try { | ||
if (typeof dirty === "string") | ||
return sanitizer(dirty, DOMPurifyOptions, callback); | ||
let clone = JSON.parse(JSON.stringify(dirty)); | ||
if (dirty && dirty.constructor === Array) { | ||
let clone = [].concat(dirty); | ||
for (let i = 0; i < clone.length; i++) { | ||
clone[i] = sanitize(clone[i], DOMPurifyOptions, callback); | ||
} | ||
return clone; | ||
} | ||
if (typeof clone === "string") clone = sanitizer(clone, DOMPurifyOptions); | ||
if (dirty && dirty.constructor === Object) { | ||
let clone = JSON.parse(JSON.stringify(dirty)); | ||
let cloneKeys = Object.keys(clone); | ||
for (let i = 0; i < cloneKeys.length; i++) { | ||
const cloneKey = cloneKeys[i]; | ||
clone[cloneKey] = sanitize(clone[cloneKey], DOMPurifyOptions, callback); | ||
} | ||
return clone; | ||
} | ||
if (clone instanceof Array) | ||
for (let i = 0; i < clone.length; i++) | ||
clone[i] = sanitized(clone[i], DOMPurifyOptions); | ||
if (callback) callback(null, dirty); | ||
if (clone instanceof Object) | ||
for (cloneKey of Object.keys(clone)) | ||
clone[cloneKey] = sanitized(clone[cloneKey], DOMPurifyOptions); | ||
return dirty; | ||
return clone; | ||
} catch (err) { | ||
if (callback) callback(err); | ||
if (errorHandler) errorHandler(err); | ||
@@ -55,2 +44,2 @@ return dirty; | ||
module.exports = sanitize; | ||
module.exports = sanitized; |
{ | ||
"name": "sanitized", | ||
"version": "1.1.5", | ||
"description": "Recursive function that'll sanitize a string or ALL strings in an object or array.", | ||
"version": "1.1.6", | ||
"description": "Recursive function that'll sanitize a string or ALL strings in a json input.", | ||
"main": "index.js", | ||
@@ -25,6 +25,6 @@ "scripts": { | ||
"dependencies": { | ||
"dompurify": "^2.3.3", | ||
"dompurify": "^2.3.6", | ||
"he": "^1.2.0", | ||
"jsdom": "^17.0.0" | ||
"jsdom": "^19.0.0" | ||
} | ||
} |
# sanitized | ||
sanitized() is a recursive function that'll sanitize a string or ALL strings in an object or array. It's great for sanitizing form data before it gets submitted to the back-end (re: protection against XSS attacks). | ||
sanitized() is a recursive function that'll sanitize a string or ALL strings in a json input. It's great for sanitizing form data before it gets submitted to the back-end (re: protection against XSS attacks). | ||
@@ -21,9 +21,9 @@ It accepts two params the first being the value to sanitize, and the second being options to pass to [DOMPurify](https://www.npmjs.com/package/dompurify). | ||
const test = [ | ||
"<svg><g/onload=alert(2)//<p>", | ||
{ | ||
name1: [ | ||
'<math><mi//xlink:href="data:x,<script>alert(4)</script>">', | ||
{ name2: "<p>abc<iframe//src=jAva	script:alert(3)>def" }, | ||
], | ||
}, | ||
"<svg><g/onload=alert(2)//<p>", | ||
{ | ||
name1: [ | ||
'<math><mi//xlink:href="data:x,<script>alert(4)</script>">', | ||
{ name2: "<p>abc<iframe//src=jAva	script:alert(3)>def" }, | ||
], | ||
}, | ||
]; | ||
@@ -30,0 +30,0 @@ |
2758
33
+ Added@tootallnate/once@2.0.0(transitive)
+ Addeddomexception@4.0.0(transitive)
+ Addedhtml-encoding-sniffer@3.0.0(transitive)
+ Addedhttp-proxy-agent@5.0.0(transitive)
+ Addediconv-lite@0.6.3(transitive)
+ Addedjsdom@19.0.0(transitive)
+ Addedw3c-xmlserializer@3.0.0(transitive)
+ Addedwhatwg-encoding@2.0.0(transitive)
+ Addedwhatwg-url@10.0.0(transitive)
+ Addedxml-name-validator@4.0.0(transitive)
- Removed@tootallnate/once@1.1.2(transitive)
- Removeddomexception@2.0.1(transitive)
- Removedhtml-encoding-sniffer@2.0.1(transitive)
- Removedhttp-proxy-agent@4.0.1(transitive)
- Removediconv-lite@0.4.24(transitive)
- Removedjsdom@17.0.0(transitive)
- Removedtr46@2.1.0(transitive)
- Removedw3c-xmlserializer@2.0.0(transitive)
- Removedwebidl-conversions@5.0.06.1.0(transitive)
- Removedwhatwg-encoding@1.0.5(transitive)
- Removedwhatwg-mimetype@2.3.0(transitive)
- Removedwhatwg-url@9.1.0(transitive)
- Removedxml-name-validator@3.0.0(transitive)
Updateddompurify@^2.3.6
Updatedjsdom@^19.0.0