mirror of
https://github.com/overleaf/overleaf.git
synced 2025-01-04 04:11:38 +00:00
2b2e9cfe45
* [web] scripts/translations: update package-lock to version 2 * Bump sanitize-html in /services/web/scripts/translations Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html) from 1.27.3 to 2.7.0. - [Release notes](https://github.com/apostrophecms/sanitize-html/releases) - [Changelog](https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md) - [Commits](https://github.com/apostrophecms/sanitize-html/commits/2.7.0) --- updated-dependencies: - dependency-name: sanitize-html dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * [web] adapt locales escaping and usage for new sanitize-html version Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> GitOrigin-RevId: 5df107a0a4b3d7c408f676ee363169f0ef0de28f
44 lines
1.4 KiB
JavaScript
44 lines
1.4 KiB
JavaScript
const sanitizeHtml = require('sanitize-html')
|
||
|
||
/**
|
||
* Sanitize a translation string to prevent injection attacks
|
||
*
|
||
* @param {string} input
|
||
* @returns {string}
|
||
*/
|
||
function sanitize(input) {
|
||
// Block Angular XSS
|
||
// Ticket: https://github.com/overleaf/issues/issues/4478
|
||
input = input.replace(/'/g, '’')
|
||
// Use left quote where (likely) appropriate.
|
||
input.replace(/ ’/g, ' ‘')
|
||
|
||
// Allow "replacement" tags (in the format <0>, <1>, <2>, etc) used by
|
||
// react-i18next to allow for HTML insertion via the Trans component.
|
||
// See: https://github.com/overleaf/developer-manual/blob/master/code/translations.md
|
||
// The html parser of sanitize-html is only accepting ASCII alpha characters
|
||
// at the start of HTML tags. So we need to replace these ahead of parsing
|
||
// and restore them afterwards.
|
||
input = input.replaceAll(/<([/]?[0-9])>/g, '<$1>')
|
||
|
||
return (
|
||
sanitizeHtml(input, {
|
||
allowedTags: ['b', 'strong', 'a', 'code'],
|
||
allowedAttributes: {
|
||
a: ['href', 'class'],
|
||
},
|
||
textFilter(text) {
|
||
// Block Angular XSS
|
||
if (text === '{') return '{'
|
||
if (text === '}') return '}'
|
||
return text
|
||
.replace(/\{\{/, '{{')
|
||
.replace(/\}\}/, '}}')
|
||
},
|
||
})
|
||
// Restore the escaping again.
|
||
.replaceAll(/<([/]?[0-9])>/g, '<$1>')
|
||
)
|
||
}
|
||
|
||
module.exports = { sanitize }
|