Handle iframes and target attribute with dompurify
This commit is contained in:
parent
fa3d653944
commit
4a3c845eca
2 changed files with 18 additions and 16 deletions
|
@ -46,6 +46,7 @@ L.Util.escapeHTML = (s) => {
|
||||||
s = s ? s.toString() : ''
|
s = s ? s.toString() : ''
|
||||||
s = DOMPurify.sanitize(s, {
|
s = DOMPurify.sanitize(s, {
|
||||||
USE_PROFILES: { html: true },
|
USE_PROFILES: { html: true },
|
||||||
|
ADD_TAGS: ['iframe'],
|
||||||
ALLOWED_TAGS: [
|
ALLOWED_TAGS: [
|
||||||
'h3',
|
'h3',
|
||||||
'h4',
|
'h4',
|
||||||
|
@ -61,7 +62,8 @@ L.Util.escapeHTML = (s) => {
|
||||||
'img',
|
'img',
|
||||||
'br',
|
'br',
|
||||||
],
|
],
|
||||||
ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
|
ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
|
||||||
|
ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
|
||||||
})
|
})
|
||||||
return s
|
return s
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,49 +38,49 @@ describe('L.Util', function () {
|
||||||
it('should handle links without formatting', function () {
|
it('should handle links without formatting', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple http://osm.org link'),
|
L.Util.toHTML('A simple http://osm.org link'),
|
||||||
'A simple <a target="_blank" href="http://osm.org">http://osm.org</a> link'
|
'A simple <a href="http://osm.org" target="_blank">http://osm.org</a> link'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle simple link in title', function () {
|
it('should handle simple link in title', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('# http://osm.org'),
|
L.Util.toHTML('# http://osm.org'),
|
||||||
'<h3><a target="_blank" href="http://osm.org">http://osm.org</a></h3>'
|
'<h3><a href="http://osm.org" target="_blank">http://osm.org</a></h3>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle links with url parameter', function () {
|
it('should handle links with url parameter', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'),
|
L.Util.toHTML('A simple https://osm.org/?url=https%3A//anotherurl.com link'),
|
||||||
'A simple <a target="_blank" href="https://osm.org/?url=https%3A//anotherurl.com">https://osm.org/?url=https%3A//anotherurl.com</a> link'
|
'A simple <a href="https://osm.org/?url=https%3A//anotherurl.com" target="_blank">https://osm.org/?url=https%3A//anotherurl.com</a> link'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle simple link inside parenthesis', function () {
|
it('should handle simple link inside parenthesis', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple link (http://osm.org)'),
|
L.Util.toHTML('A simple link (http://osm.org)'),
|
||||||
'A simple link (<a target="_blank" href="http://osm.org">http://osm.org</a>)'
|
'A simple link (<a href="http://osm.org" target="_blank">http://osm.org</a>)'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle simple link with formatting', function () {
|
it('should handle simple link with formatting', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple [[http://osm.org]] link'),
|
L.Util.toHTML('A simple [[http://osm.org]] link'),
|
||||||
'A simple <a target="_blank" href="http://osm.org">http://osm.org</a> link'
|
'A simple <a href="http://osm.org" target="_blank">http://osm.org</a> link'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle simple link with formatting and content', function () {
|
it('should handle simple link with formatting and content', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple [[http://osm.org|link]]'),
|
L.Util.toHTML('A simple [[http://osm.org|link]]'),
|
||||||
'A simple <a target="_blank" href="http://osm.org">link</a>'
|
'A simple <a href="http://osm.org" target="_blank">link</a>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle simple link followed by a carriage return', function () {
|
it('should handle simple link followed by a carriage return', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple link http://osm.org\nAnother line'),
|
L.Util.toHTML('A simple link http://osm.org\nAnother line'),
|
||||||
'A simple link <a target="_blank" href="http://osm.org">http://osm.org</a><br>\nAnother line'
|
'A simple link <a href="http://osm.org" target="_blank">http://osm.org</a><br>\nAnother line'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -108,28 +108,28 @@ describe('L.Util', function () {
|
||||||
it('should handle iframe', function () {
|
it('should handle iframe', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'),
|
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html}}}'),
|
||||||
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="300px"></iframe></div>'
|
'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="300px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle iframe with height', function () {
|
it('should handle iframe with height', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'),
|
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200}}}'),
|
||||||
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="200px"></iframe></div>'
|
'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="200px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle iframe with height and width', function () {
|
it('should handle iframe with height and width', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'),
|
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200*400}}}'),
|
||||||
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="400px" height="200px"></iframe></div>'
|
'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="400px" height="200px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should handle iframe with height with px', function () {
|
it('should handle iframe with height with px', function () {
|
||||||
assert.equal(
|
assert.equal(
|
||||||
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'),
|
L.Util.toHTML('A simple iframe: {{{http://osm.org/pouet.html|200px}}}'),
|
||||||
'A simple iframe: <div><iframe frameborder="0" src="http://osm.org/pouet.html" width="100%" height="200px"></iframe></div>'
|
'A simple iframe: <div><iframe src="http://osm.org/pouet.html" width="100%" height="200px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -138,7 +138,7 @@ describe('L.Util', function () {
|
||||||
L.Util.toHTML(
|
L.Util.toHTML(
|
||||||
'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}'
|
'A simple iframe: {{{https://osm.org/?url=https%3A//anotherurl.com}}}'
|
||||||
),
|
),
|
||||||
'A simple iframe: <div><iframe frameborder="0" src="https://osm.org/?url=https%3A//anotherurl.com" width="100%" height="300px"></iframe></div>'
|
'A simple iframe: <div><iframe src="https://osm.org/?url=https%3A//anotherurl.com" width="100%" height="300px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -147,7 +147,7 @@ describe('L.Util', function () {
|
||||||
L.Util.toHTML(
|
L.Util.toHTML(
|
||||||
'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}'
|
'A double iframe: {{{https://osm.org/pouet}}}{{{https://osm.org/boudin}}}'
|
||||||
),
|
),
|
||||||
'A double iframe: <div><iframe frameborder="0" src="https://osm.org/pouet" width="100%" height="300px"></iframe></div><div><iframe frameborder="0" src="https://osm.org/boudin" width="100%" height="300px"></iframe></div>'
|
'A double iframe: <div><iframe src="https://osm.org/pouet" width="100%" height="300px" frameborder="0"></iframe></div><div><iframe src="https://osm.org/boudin" width="100%" height="300px" frameborder="0"></iframe></div>'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -156,14 +156,14 @@ describe('L.Util', function () {
|
||||||
L.Util.toHTML(
|
L.Util.toHTML(
|
||||||
'A phrase with a [[http://iframeurl.com?to=http://another.com]].'
|
'A phrase with a [[http://iframeurl.com?to=http://another.com]].'
|
||||||
),
|
),
|
||||||
'A phrase with a <a target="_blank" href="http://iframeurl.com?to=http://another.com">http://iframeurl.com?to=http://another.com</a>.'
|
'A phrase with a <a href="http://iframeurl.com?to=http://another.com" target="_blank">http://iframeurl.com?to=http://another.com</a>.'
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('#escapeHTML', function () {
|
describe('#escapeHTML', function () {
|
||||||
it('should escape HTML tags', function () {
|
it('should escape HTML tags', function () {
|
||||||
assert.equal(L.Util.escapeHTML('<a href="pouet">'), '<a href="pouet">')
|
assert.equal(L.Util.escapeHTML('<span onload="alert(oups)">'), '<span></span>')
|
||||||
})
|
})
|
||||||
|
|
||||||
it('should not fail with int value', function () {
|
it('should not fail with int value', function () {
|
||||||
|
|
Loading…
Reference in a new issue