From b218a722a3706de54b1ddcca0377e131102ec8fd Mon Sep 17 00:00:00 2001 From: Alex Bea Date: Fri, 7 Aug 2020 09:54:28 -0500 Subject: [PATCH] Fixes issue with using transformTags without textFilter (#395) * Fixes issue with using transformTags without textFilter * Updates changelog --- CHANGELOG.md | 5 ++--- index.js | 6 ++++-- package.json | 4 ++-- test/test.js | 18 ++++++++++++++++-- 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e97b7f..671d84f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,8 @@ ## Changelog 2.0.0-beta.2: -- Add `files` to `package.json` to prevent publishing unnecessary files to npm #392 - -Thanks to [styfle](https://github.com/styfle) for contributions to this patch version update. +- Add `files` to `package.json` to prevent publishing unnecessary files to npm #392. Thanks to [styfle](https://github.com/styfle) for the contribution. +- Fixes a bug when using `transformTags` with out `textFilter`. Thanks to [Andrzej Porebski](https://github.com/andpor) for the help with a failing test. 2.0.0-beta: - Moves the `index.js` file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as-needed. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions. diff --git a/index.js b/index.js index 4b57ec5..abbdbea 100644 --- a/index.js +++ b/index.js @@ -178,6 +178,7 @@ function sanitizeHtml(html, options, _recursing) { let transformMap; let skipText; let skipTextDepth; + let addedText = false; initializeState(); @@ -391,6 +392,7 @@ function sanitizeHtml(html, options, _recursing) { result += '>'; if (frame.innerText && !hasText && !options.textFilter) { result += escapeHtml(frame.innerText); + addedText = true; } } if (skip) { @@ -419,9 +421,9 @@ function sanitizeHtml(html, options, _recursing) { result += text; } else { const escaped = escapeHtml(text, false); - if (options.textFilter) { + if (options.textFilter && !addedText) { result += options.textFilter(escaped, tag); - } else { + } else if (!addedText) { result += escaped; } } diff --git a/package.json b/package.json index be67e8e..954a6bd 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "sanitize-html", - "version": "2.0.0-beta", + "version": "2.0.0-beta.2", "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", "sideEffects": false, "main": "index.js", @@ -41,4 +41,4 @@ "mocha": "^5.2.0", "sinon": "^9.0.2" } -} +} \ No newline at end of file diff --git a/test/test.js b/test/test.js index 5634afa..60d6f54 100644 --- a/test/test.js +++ b/test/test.js @@ -202,6 +202,20 @@ describe('sanitizeHtml', function() { }), 'some_text_need"to<be>filtered'); }); + it('should replace text and attributes when they are changed by transforming function and textFilter is set', function () { + assert.equal(sanitizeHtml('some text', { + transformTags: { + a: function (tagName, attribs) { + return { + tagName: tagName, + attribs: attribs, + text: 'some good text' + }; + } + } + }), 'some good text'); + }); + it('should add new text when not initially set and replace attributes when they are changed by transforming function', function () { assert.equal(sanitizeHtml('', { transformTags: { @@ -745,8 +759,8 @@ describe('sanitizeHtml', function() { ); }); it('should sanitize styles correctly', function() { - const sanitizeString = '

bestetestestestestestsettestestest

  1. ​test
  2. test
  3. test
  4. test

test

TESTETESTESTES

'; - const expected = '

bestetestestestestestsettestestest

  1. ​test
  2. test
  3. test
  4. test

test

TESTETESTESTES

'; + const sanitizeString = '

bestetestestestestestsettestestest

  1. test
  2. test
  3. test
  4. test

test

TESTETESTESTES

'; + const expected = '

bestetestestestestestsettestestest

  1. test
  2. test
  3. test
  4. test

test

TESTETESTESTES

'; assert.equal( sanitizeHtml(sanitizeString, { allowedTags: false,