Skip to content

Commit

Permalink
Fix to sanitize by default
Browse files Browse the repository at this point in the history
The docs have always said `remark-html` is safe by default.
It wasn’t and this patches that.

If you do want to be unsafe, use `remark-html` with `sanitize: false`:

```diff
  -.use(remarkHtml)
  +.use(remarkHtml, {sanitize: false})
```
  • Loading branch information
wooorm committed Sep 7, 2021
1 parent c0b2f69 commit b0b1ba5
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 14 deletions.
22 changes: 16 additions & 6 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,24 +7,34 @@ var sanitize = require('hast-util-sanitize')
module.exports = plugin

function plugin(options) {
var settings = options || {}
var clean = settings.sanitize
var schema = clean && typeof clean === 'object' ? clean : null
var handlers = settings.handlers || {}
var settings = Object.assign({}, options || {})
let clean

if (typeof settings.sanitize === 'boolean') {
clean = settings.sanitize
settings.sanitize = undefined
}

if (typeof clean !== 'boolean') {
clean = true
}

this.Compiler = compiler

function compiler(node, file) {
var root = node && node.type && node.type === 'root'
var hast = toHast(node, {allowDangerousHtml: !clean, handlers: handlers})
var hast = toHast(node, {
allowDangerousHtml: !clean,
handlers: settings.handlers
})
var result

if (file.extname) {
file.extname = '.html'
}

if (clean) {
hast = sanitize(hast, schema)
hast = sanitize(hast, settings.sanitize)
}

result = toHtml(
Expand Down
20 changes: 12 additions & 8 deletions test/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ test('remark-html()', function (t) {
'should throw when not given a node'
)

processor = remark().use(html)
processor = remark().use(html, {sanitize: false})

t.equal(
processor.stringify({type: 'alpha'}),
Expand Down Expand Up @@ -69,6 +69,7 @@ test('remark-html()', function (t) {
)

processor = remark().use(html, {
sanitize: false,
handlers: {
paragraph: function (h, node) {
node.children[0].value = 'changed'
Expand All @@ -91,7 +92,7 @@ test('remark-html()', function (t) {
}
}
})
.use(html)
.use(html, {sanitize: false})

t.equal(
processor.processSync('![hello](example.jpg "overwritten")').toString(),
Expand All @@ -105,7 +106,7 @@ test('remark-html()', function (t) {
ast.children[0].children[0].data = {hName: 'b'}
}
})
.use(html)
.use(html, {sanitize: false})

t.equal(
processor.processSync('**Bold!**').toString(),
Expand All @@ -130,7 +131,7 @@ test('remark-html()', function (t) {
}
}
})
.use(html)
.use(html, {sanitize: false})

t.equal(
processor.processSync('`var`').toString(),
Expand Down Expand Up @@ -171,7 +172,7 @@ test('remark-html()', function (t) {
}
}
})
.use(html)
.use(html, {sanitize: false})

t.equal(
processor.processSync('```js\nvar\n```\n').toString(),
Expand All @@ -180,7 +181,10 @@ test('remark-html()', function (t) {
)

t.equal(
remark().use(html).processSync('## Hello <span>world</span>').toString(),
remark()
.use(html, {sanitize: false})
.processSync('## Hello <span>world</span>')
.toString(),
'<h2>Hello <span>world</span></h2>\n',
'should be `sanitation: false` by default'
)
Expand All @@ -199,7 +203,7 @@ test('remark-html()', function (t) {
.use(html, {sanitize: null})
.processSync('## Hello <span>world</span>')
.toString(),
'<h2>Hello <span>world</span></h2>\n',
'<h2>Hello world</h2>\n',
'should support sanitation: null'
)

Expand Down Expand Up @@ -267,7 +271,7 @@ test('CommonMark', function (t) {

var actual = unified()
.use(parse)
.use(html)
.use(html, {sanitize: false})
.processSync(example.markdown)
.toString()

Expand Down

0 comments on commit b0b1ba5

Please sign in to comment.