-
-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Closes GH-20. Closes GH-21. Reviewed-by: Jonathan Haines <jonno.haines@gmail.com> Reviewed-by: Christian Murphy <christian.murphy.42@gmail.com> Reviewed-by: Titus Wormer <tituswormer@gmail.com>
- Loading branch information
1 parent
ea21109
commit 38c2aa8
Showing
5 changed files
with
305 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,204 @@ | ||
import h = require('hastscript') | ||
import u = require('unist-builder') | ||
import merge = require('deepmerge') | ||
import sanitize = require('hast-util-sanitize') | ||
|
||
// Taken from Readme | ||
const tree = h('div', {onmouseover: 'alert("alpha")'}, [ | ||
h( | ||
'a', | ||
{href: 'jAva script:alert("bravo")', onclick: 'alert("charlie")'}, | ||
'delta' | ||
), | ||
u('text', '\n'), | ||
h('script', 'alert("charlie")'), | ||
u('text', '\n'), | ||
h('img', {src: 'x', onerror: 'alert("delta")'}), | ||
u('text', '\n'), | ||
// eslint-disable-next-line no-script-url | ||
h('iframe', {src: 'javascript:alert("echo")'}), | ||
u('text', '\n'), | ||
h('math', h('mi', {'xlink:href': 'data:x,<script>alert("foxtrot")</script>'})) | ||
]) | ||
|
||
const gh: sanitize.Schema = { | ||
strip: ['script'], | ||
clobberPrefix: 'user-content-', | ||
clobber: ['name', 'id'], | ||
ancestors: { | ||
tbody: ['table'], | ||
tfoot: ['table'], | ||
thead: ['table'], | ||
td: ['table'], | ||
th: ['table'], | ||
tr: ['table'] | ||
}, | ||
protocols: { | ||
href: ['http', 'https', 'mailto', 'xmpp', 'irc', 'ircs'], | ||
cite: ['http', 'https'], | ||
src: ['http', 'https'], | ||
longDesc: ['http', 'https'] | ||
}, | ||
tagNames: [ | ||
'h1', | ||
'h2', | ||
'h3', | ||
'h4', | ||
'h5', | ||
'h6', | ||
'br', | ||
'b', | ||
'i', | ||
'strong', | ||
'em', | ||
'a', | ||
'pre', | ||
'code', | ||
'img', | ||
'tt', | ||
'div', | ||
'ins', | ||
'del', | ||
'sup', | ||
'sub', | ||
'p', | ||
'ol', | ||
'ul', | ||
'table', | ||
'thead', | ||
'tbody', | ||
'tfoot', | ||
'blockquote', | ||
'dl', | ||
'dt', | ||
'dd', | ||
'kbd', | ||
'q', | ||
'samp', | ||
'var', | ||
'hr', | ||
'ruby', | ||
'rt', | ||
'rp', | ||
'li', | ||
'tr', | ||
'td', | ||
'th', | ||
's', | ||
'strike', | ||
'summary', | ||
'details', | ||
'caption', | ||
'figure', | ||
'figcaption', | ||
'abbr', | ||
'bdo', | ||
'cite', | ||
'dfn', | ||
'mark', | ||
'small', | ||
'span', | ||
'time', | ||
'wbr', | ||
'input' | ||
], | ||
attributes: { | ||
a: ['href'], | ||
img: ['src', 'longDesc'], | ||
input: [ | ||
['type', 'checkbox'], | ||
['disabled', true] | ||
], | ||
li: [['className', 'task-list-item']], | ||
div: ['itemScope', 'itemType'], | ||
blockquote: ['cite'], | ||
del: ['cite'], | ||
ins: ['cite'], | ||
q: ['cite'], | ||
'*': [ | ||
'abbr', | ||
'accept', | ||
'acceptCharset', | ||
'accessKey', | ||
'action', | ||
'align', | ||
'alt', | ||
'ariaDescribedBy', | ||
'ariaHidden', | ||
'ariaLabel', | ||
'ariaLabelledBy', | ||
'axis', | ||
'border', | ||
'cellPadding', | ||
'cellSpacing', | ||
'char', | ||
'charOff', | ||
'charSet', | ||
'checked', | ||
'clear', | ||
'cols', | ||
'colSpan', | ||
'color', | ||
'compact', | ||
'coords', | ||
'dateTime', | ||
'dir', | ||
'disabled', | ||
'encType', | ||
'htmlFor', | ||
'frame', | ||
'headers', | ||
'height', | ||
'hrefLang', | ||
'hSpace', | ||
'isMap', | ||
'id', | ||
'label', | ||
'lang', | ||
'maxLength', | ||
'media', | ||
'method', | ||
'multiple', | ||
'name', | ||
'noHref', | ||
'noShade', | ||
'noWrap', | ||
'open', | ||
'prompt', | ||
'readOnly', | ||
'rel', | ||
'rev', | ||
'rows', | ||
'rowSpan', | ||
'rules', | ||
'scope', | ||
'selected', | ||
'shape', | ||
'size', | ||
'span', | ||
'start', | ||
'summary', | ||
'tabIndex', | ||
'target', | ||
'title', | ||
'type', | ||
'useMap', | ||
'vAlign', | ||
'value', | ||
'vSpace', | ||
'width', | ||
'itemProp' | ||
] | ||
}, | ||
required: { | ||
input: { | ||
type: 'checkbox', | ||
disabled: true | ||
} | ||
} | ||
} | ||
|
||
const schema = merge(gh, {attributes: {'*': ['className']}}) | ||
|
||
sanitize(tree) | ||
sanitize(tree, schema) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
import {Node} from 'unist' | ||
|
||
declare namespace sanitize { | ||
/** | ||
* Possible HTML attribute values | ||
*/ | ||
type HTMLValue = string | number | boolean | ||
|
||
/** | ||
* Sanitization configuration | ||
*/ | ||
interface Schema { | ||
/** | ||
* Map of tag names to allowed property names | ||
* | ||
* The special '*' key defines property names allowed on all elements | ||
*/ | ||
attributes?: { | ||
[key: string]: Array<string | [string, ...HTMLValue[]]> | ||
} | ||
|
||
/** | ||
* Map of tag names to required property names and their default property value | ||
*/ | ||
required?: {[key: string]: {[key: string]: HTMLValue}} | ||
|
||
/** | ||
* List of allowed tag names | ||
*/ | ||
tagNames?: string[] | ||
|
||
/** | ||
* Map of protocols to allow in property values | ||
*/ | ||
protocols?: {[key: string]: string[]} | ||
|
||
/** | ||
* Map of tag names to their required ancestor elements | ||
*/ | ||
ancestors?: {[key: string]: string[]} | ||
|
||
/** | ||
* List of allowed property names which can clobber | ||
*/ | ||
clobber?: string[] | ||
|
||
/** | ||
* Prefix to use before potentially clobbering property names | ||
*/ | ||
clobberPrefix?: string | ||
|
||
/** | ||
* Names of elements to strip from the tree | ||
*/ | ||
strip?: string[] | ||
|
||
/** | ||
* Whether to allow comments | ||
*/ | ||
allowComments?: boolean | ||
|
||
/** | ||
* Whether to allow doctypes | ||
*/ | ||
allowDoctypes?: boolean | ||
} | ||
} | ||
|
||
/** | ||
* Hast utility to sanitize a tree | ||
* | ||
* @param tree Hast tree to sanitize | ||
* @param schema Schema defining how to sanitize - defaults to Github style sanitation | ||
*/ | ||
declare function sanitize(tree: Node, schema?: sanitize.Schema): Node | ||
|
||
export = sanitize |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"compilerOptions": { | ||
"lib": ["es2015"], | ||
"strict": true, | ||
"baseUrl": ".", | ||
"resolveJsonModule": true, | ||
"paths": { | ||
"hast-util-sanitize": ["index.d.ts"] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"extends": "dtslint/dtslint.json", | ||
"rules": { | ||
"semicolon": false, | ||
"whitespace": false | ||
} | ||
} |