const sanitizeHtml = require('sanitize-html') /** * Sanitize a translation string to prevent injection attacks * * @param {string} input * @returns {string} */ function sanitize(input) { // Block Angular XSS // Ticket: https://github.com/overleaf/issues/issues/4478 input = input.replace(/'/g, '’') // Use left quote where (likely) appropriate. input.replace(/ ’/g, ' ‘') return sanitizeHtml(input, { // Allow "replacement" tags (in the format <0>, <1>, <2>, etc) used by // react-i18next to allow for HTML insertion via the Trans component. // See: https://github.com/overleaf/developer-manual/blob/master/code/translations.md // Unfortunately the sanitizeHtml library does not accept regexes or a // function for the allowedTags option, so we are limited to a hard-coded // number of "replacement" tags. allowedTags: ['b', 'strong', 'a', 'code', ...range(10)], allowedAttributes: { a: ['href', 'class'], }, textFilter(text) { // Block Angular XSS if (text === '{') return '{' if (text === '}') return '}' return text .replace(/\{\{/, '{{') .replace(/\}\}/, '}}') }, }) } /** * Generate a range of numbers as strings up to the given size * * @param {number} size Size of range * @returns {string[]} */ function range(size) { return Array.from(Array(size).keys()).map(n => n.toString()) } module.exports = { sanitize }