jeff/umap
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Handle iframes and target attribute with dompurify

Browse source
This commit is contained in:
David Larlet 2023-05-20 09:56:18 -04:00
parent fa3d653944
commit 4a3c845eca
No known key found for this signature in database
2 changed files with 18 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
umap/static/umap/js/umap.core.js
View file

@ -46,6 +46,7 @@ L.Util.escapeHTML = (s) => {
s = s ? s.toString() : '' s = s ? s.toString() : ''
s = DOMPurify.sanitize(s, { s = DOMPurify.sanitize(s, {
USE_PROFILES: { html: true }, USE_PROFILES: { html: true },
ADD_TAGS: ['iframe'],
ALLOWED_TAGS: [ ALLOWED_TAGS: [
'h3', 'h3',
'h4', 'h4',
@ -61,7 +62,8 @@ L.Util.escapeHTML = (s) => {
'img', 'img',
'br', 'br',
], ],
ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'], ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
}) })
return s return s
} }

30
umap/static/umap/test/Util.js
View file

@ -38,49 +38,49 @@ describe('L.Util', function () {
it('should handle links without formatting', function () { it('should handle links without formatting', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple http://osm.org link'), L.Util.toHTML('A simple http://osm.org link'),
'A simple <a target="_blank" href="http://osm.org">http://osm.org</a> link' 'A simple <a href="http://osm.org" target="_blank">http://osm.org</a> link'
) )
}) })
it('should handle simple link in title', function () { it('should handle simple link in title', function () {
assert.equal( assert.equal(
L.Util.toHTML('# http://osm.org'), L.Util.toHTML('# http://osm.org'),
'<h3><a target="_blank" href="http://osm.org">http://osm.org</a></h3>' '<h3><a href="http://osm.org" target="_blank">http://osm.org</a></h3>'
) )
}) })
it('should handle links with url parameter', function () { it('should handle links with url parameter', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'), L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'),
'A simple <a target="_blank" href="https://osm.org/?url=https%3A//anotherurl.com">https://osm.org/?url=https%3A//anotherurl.com</a> link' 'A simple <a href="https://osm.org/?url=https%3A//anotherurl.com" target="_blank">https://osm.org/?url=https%3A//anotherurl.com</a> link'
) )
}) })
it('should handle simple link inside parenthesis', function () { it('should handle simple link inside parenthesis', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple link (http://osm.org)'), L.Util.toHTML('A simple link (http://osm.org)'),
'A simple link (<a target="_blank" href="http://osm.org">http://osm.org</a>)' 'A simple link (<a href="http://osm.org" target="_blank">http://osm.org</a>)'
) )
}) })
it('should handle simple link with formatting', function () { it('should handle simple link with formatting', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple [[http://osm.org]] link'), L.Util.toHTML('A simple [[http://osm.org]] link'),
'A simple <a target="_blank" href="http://osm.org">http://osm.org</a> link' 'A simple <a href="http://osm.org" target="_blank">http://osm.org</a> link'
) )
}) })
it('should handle simple link with formatting and content', function () { it('should handle simple link with formatting and content', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple [[http://osm.org|link]]'), L.Util.toHTML('A simple [[http://osm.org|link]]'),
'A simple <a target="_blank" href="http://osm.org">link</a>' 'A simple <a href="http://osm.org" target="_blank">link</a>'
) )
}) })
it('should handle simple link followed by a carriage return', function () { it('should handle simple link followed by a carriage return', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple link http://osm.org\nAnother line'), L.Util.toHTML('A simple link http://osm.org\nAnother line'),
'A simple link <a target="_blank" href="http://osm.org">http://osm.org</a><br>\nAnother line' 'A simple link <a href="http://osm.org" target="_blank">http://osm.org</a><br>\nAnother line'
) )
}) })
@ -108,28 +108,28 @@ describe('L.Util', function () {
it('should handle iframe', function () { it('should handle iframe', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'), L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'),
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="300px"></iframe></div>' 'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="300px" frameborder="0"></iframe></div>'
) )
}) })
it('should handle iframe with height', function () { it('should handle iframe with height', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'), L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'),
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="200px"></iframe></div>' 'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="200px" frameborder="0"></iframe></div>'
) )
}) })
it('should handle iframe with height and width', function () { it('should handle iframe with height and width', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'), L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'),
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="400px" height="200px"></iframe></div>' 'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="400px" height="200px" frameborder="0"></iframe></div>'
) )
}) })
it('should handle iframe with height with px', function () { it('should handle iframe with height with px', function () {
assert.equal( assert.equal(
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'), L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'),
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="200px"></iframe></div>' 'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="200px" frameborder="0"></iframe></div>'
) )
}) })
@ -138,7 +138,7 @@ describe('L.Util', function () {
L.Util.toHTML( L.Util.toHTML(
'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}' 'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}'
), ),
'A simple iframe: <div><iframe frameborder="0" src="https://osm.org/?url=https%3A//anotherurl.com" width="100%" height="300px"></iframe></div>' 'A simple iframe: <div><iframe src="https://osm.org/?url=https%3A//anotherurl.com" width="100%" height="300px" frameborder="0"></iframe></div>'
) )
}) })
@ -147,7 +147,7 @@ describe('L.Util', function () {
L.Util.toHTML( L.Util.toHTML(
'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}' 'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}'
), ),
'A double iframe: <div><iframe frameborder="0" src="https://osm.org/pouet" width="100%" height="300px"></iframe></div><div><iframe frameborder="0" src="https://osm.org/boudin" width="100%" height="300px"></iframe></div>' 'A double iframe: <div><iframe src="https://osm.org/pouet" width="100%" height="300px" frameborder="0"></iframe></div><div><iframe src="https://osm.org/boudin" width="100%" height="300px" frameborder="0"></iframe></div>'
) )
}) })
@ -156,14 +156,14 @@ describe('L.Util', function () {
L.Util.toHTML( L.Util.toHTML(
'A phrase with a [[http://iframeurl.com?to=http://another.com]].' 'A phrase with a [[http://iframeurl.com?to=http://another.com]].'
), ),
'A phrase with a <a target="_blank" href="http://iframeurl.com?to=http://another.com">http://iframeurl.com?to=http://another.com</a>.' 'A phrase with a <a href="http://iframeurl.com?to=http://another.com" target="_blank">http://iframeurl.com?to=http://another.com</a>.'
) )
}) })
}) })
describe('#escapeHTML', function () { describe('#escapeHTML', function () {
it('should escape HTML tags', function () { it('should escape HTML tags', function () {
assert.equal(L.Util.escapeHTML('<a href="pouet">'), '&lt;a href="pouet">') assert.equal(L.Util.escapeHTML('<span onload="alert(oups)">'), '<span></span>')
}) })
it('should not fail with int value', function () { it('should not fail with int value', function () {