added test case and changed README file

apostrophecms · Feb 29, 2024 · 1f52783 · 1f52783
1 parent d3c1141
commit 1f52783
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -249,6 +249,16 @@ If you set `disallowedTagsMode` to `escape`, the disallowed tags are escaped rat
 
 If you set `disallowedTagsMode` to `recursiveEscape`, the disallowed tags are escaped rather than discarded, and the same treatment is applied to all subtags, whether otherwise allowed or not.
 
+
+#### "What if I wan disallowed tags and any content they contain should discarded"
+
+If you set `disallowedTagsMode` to `completelyDiscard`, disallowed tags and any content they contain are discarded. Any subtags are still included, as long as those individual subtags are allowed.
+
+```js
+allowedTags: [ 'p' ],
+disallowedTagsMode: 'completelyDiscard'
+```
+
 #### "What if I want to allow only specific values on some attributes?"
 
 When configuring the attribute in `allowedAttributes` simply use an object with attribute `name` and an allowed `values` array. In the following example `sandbox="allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-scripts"` would become `sandbox="allow-popups allow-scripts"`:
@@ -695,6 +705,8 @@ attacks. Don't do that* unless you have good reason to trust their origin.
 sanitize-html will log a warning if these tags are allowed, which can be
 disabled with the `allowVulnerableTags: true` option.
 
+### Discarding the entire contents of a disallowed tag
+
 ### Choose what to do with disallowed tags
 
 Instead of discarding, or keeping text only, you may enable escaping of the entire content:

diff --git a/test/test.js b/test/test.js
@@ -1676,4 +1676,23 @@ describe('sanitizeHtml', function() {
     });
     assert.equal(sanitizedHtml, expectedOutput);
   });
+  it('should remove top level tag\'s content', () => {
+    const inputHtml = 'Some Text<p>paragraph content</p> content';
+    const expectedOutput = '<p>paragraph content</p>';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [ 'p' ],
+      disallowedTagsMode: 'completelyDiscard'
+    });
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
+  it('should completely remove disallowd tag with unclosed tag', () => {
+    const inputHtml = '<div>Some Text<p>paragraph content</p>some text';
+    const expectedOutput = '<p>paragraph content</p>';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [ 'p' ],
+      disallowedTagsMode: 'completelyDiscard'
+    });
+
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
 });