mirror of
https://github.com/tenrok/BBob.git
synced 2026-06-14 18:42:24 +03:00
fix(html): escape bad html (#67)
* feat(preset-html5): add feature to filter javascript: urls * fix(plugin-helper): escape html in attrs * fix(plugin-helper): tests for html escape * refactor(preset-html5): remove html escape from preset * feat(preset): add ability to pass and extend preset options
This commit is contained in:
Nikolay Kostyurin
committed by
GitHub
GitHub
parent
ba090bf997
commit
87f38fe97e
@@ -27,7 +27,14 @@ const appendToNode = (node, value) => {
|
||||
* Replaces " to &qquot;
|
||||
* @param {String} value
|
||||
*/
|
||||
const escapeQuote = (value) => value.replace(/"/g, '"');
|
||||
const escapeHTML = (value) => value
|
||||
.replace(/&/g, '&')
|
||||
.replace(/</g, '<')
|
||||
.replace(/>/g, '>')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''')
|
||||
// eslint-disable-next-line no-script-url
|
||||
.replace('javascript:', 'javascript%3A');
|
||||
|
||||
/**
|
||||
* Acept name and value and return valid html5 attribute string
|
||||
@@ -41,8 +48,8 @@ const attrValue = (name, value) => {
|
||||
const types = {
|
||||
boolean: () => (value ? `${name}` : ''),
|
||||
number: () => `${name}="${value}"`,
|
||||
string: () => `${name}="${escapeQuote(value)}"`,
|
||||
object: () => `${name}="${escapeQuote(JSON.stringify(value))}"`,
|
||||
string: () => `${name}="${escapeHTML(value)}"`,
|
||||
object: () => `${name}="${escapeHTML(JSON.stringify(value))}"`,
|
||||
};
|
||||
|
||||
return types[type] ? types[type]() : '';
|
||||
@@ -78,6 +85,7 @@ export {
|
||||
attrsToString,
|
||||
attrValue,
|
||||
appendToNode,
|
||||
escapeHTML,
|
||||
getNodeLength,
|
||||
getUniqAttr,
|
||||
isTagNode,
|
||||
|
||||
@@ -80,11 +80,26 @@ describe('@bbob/plugin-helper', () => {
|
||||
disabled: true
|
||||
})).toBe(` tag="test" foo="bar" disabled`)
|
||||
});
|
||||
|
||||
|
||||
test('attrsToString undefined', () => {
|
||||
expect(attrsToString(undefined)).toBe('')
|
||||
});
|
||||
|
||||
describe('attrsToString escape', () => {
|
||||
test(`javascript:alert("hello")`, () => {
|
||||
expect(attrsToString({
|
||||
onclick: `javascript:alert('hello')`,
|
||||
href: `javascript:alert('hello')`,
|
||||
})).toBe(` onclick="javascript%3Aalert('hello')" href="javascript%3Aalert('hello')"`)
|
||||
});
|
||||
test(`<tag>`, () => {
|
||||
expect(attrsToString({
|
||||
onclick: `<tag>`,
|
||||
href: `<tag>`,
|
||||
})).toBe(` onclick="<tag>" href="<tag>"`)
|
||||
});
|
||||
});
|
||||
|
||||
test('getUniqAttr with unq attr', () => {
|
||||
expect(getUniqAttr({foo: true, 'http://bar.com': 'http://bar.com'})).toBe('http://bar.com')
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user