Skip to content

Commit

Permalink
feat: transform should sanitize html by default
Browse files Browse the repository at this point in the history
PR where sanitizer was added: diplodoc-platform#177
  • Loading branch information
yndx-birman committed Aug 8, 2023
1 parent 9947885 commit bc4a29c
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 7 deletions.
2 changes: 1 addition & 1 deletion src/transform/md.ts
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ function initParser(md: MarkdownIt, options: OptionsType, env: EnvType) {
}

function initCompiler(md: MarkdownIt, options: OptionsType, env: EnvType) {
const {needToSanitizeHtml = false, sanitizeOptions} = options;
const {needToSanitizeHtml = true, sanitizeOptions} = options;

return (tokens: Token[]) => {
const html = md.renderer.render(tokens, md.options, env);
Expand Down
1 change: 1 addition & 0 deletions src/transform/sanitize.ts
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ const htmlTags = [
'video',
'wbr',
'iframe',
'style'
];

const svgTags = [
Expand Down
43 changes: 37 additions & 6 deletions test/sanitize-html.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,44 @@ describe('Sanitize HTML utility', () => {
expect(sanitizeHtml('<img src=a onerror=alert(1)>')).toBe('<img src="a" />');
});

it('transform should sanitize html', () => {
expect(transformYfm('<img src=a onerror=alert(1)>', {needToSanitizeHtml: true})).toBe(
'<img src="a" />',
);
describe('by default transform should sanitize html', () => {

describe('html in markdown', () => {
it('should sanitize danger attributes', () => {
expect(transformYfm('<img src="a" onerror=alert(1)>')).toBe(
'<img src="a" />',
);
})

it('should not sanitize style tag', () => {
expect(transformYfm('<style>h2 {color: red;}</style>')).toBe(
'<style>h2 {color: red;}</style>',
);
});
})

describe('plugin markdown-it-attrs', () => {
it('should sanitize danger attributes', () => {
expect(transformYfm('Click {onfocus="alert(1)" onclick="alert(1)"}')).toBe(
'<p>Click</p>\n',
);
});

it('should not sanitize safe attributes', () => {
expect(transformYfm('Click {.style-me data-toggle=modal}')).toBe(
'<p class="style-me" data-toggle="modal">Click</p>\n',
);
});

it('should not sanitize style attribute', () => {
expect(transformYfm('[example.com](https://example.com){style="position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5"}')).toBe(
'<p><a href=\"https://example.com\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;background-color:red;opacity:0.5\">example.com</a></p>\n',
);
});
})
});

it('by default transform should not sanitize html', () => {
expect(transformYfm('<img src=a onerror=alert(1)>')).toBe('<img src=a onerror=alert(1)>');
it('transform should not sanitize html', () => {
expect(transformYfm('<img src=a onerror=alert(1)>', {needToSanitizeHtml: false})).toBe('<img src=a onerror=alert(1)>');
});
});

0 comments on commit bc4a29c

Please sign in to comment.