overleaf/services/web/scripts/translations/sanitize.js
dependabot[bot] 2b2e9cfe45 Bump sanitize-html from 1.27.3 to 2.7.0 in /services/web/scripts/translations (#6651)
* [web] scripts/translations: update package-lock to version 2

* Bump sanitize-html in /services/web/scripts/translations

Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html) from 1.27.3 to 2.7.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases)
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/sanitize-html/commits/2.7.0)

---
updated-dependencies:
- dependency-name: sanitize-html
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* [web] adapt locales escaping and usage for new sanitize-html version

Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
GitOrigin-RevId: 5df107a0a4b3d7c408f676ee363169f0ef0de28f
2022-05-18 08:04:19 +00:00

44 lines
1.4 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

const sanitizeHtml = require('sanitize-html')
/**
* Sanitize a translation string to prevent injection attacks
*
* @param {string} input
* @returns {string}
*/
function sanitize(input) {
// Block Angular XSS
// Ticket: https://github.com/overleaf/issues/issues/4478
input = input.replace(/'/g, '')
// Use left quote where (likely) appropriate.
input.replace(/ /g, ' ')
// Allow "replacement" tags (in the format <0>, <1>, <2>, etc) used by
// react-i18next to allow for HTML insertion via the Trans component.
// See: https://github.com/overleaf/developer-manual/blob/master/code/translations.md
// The html parser of sanitize-html is only accepting ASCII alpha characters
// at the start of HTML tags. So we need to replace these ahead of parsing
// and restore them afterwards.
input = input.replaceAll(/<([/]?[0-9])>/g, '&lt;$1&gt;')
return (
sanitizeHtml(input, {
allowedTags: ['b', 'strong', 'a', 'code'],
allowedAttributes: {
a: ['href', 'class'],
},
textFilter(text) {
// Block Angular XSS
if (text === '{') return '&#123;'
if (text === '}') return '&#125;'
return text
.replace(/\{\{/, '&#123;&#123;')
.replace(/\}\}/, '&#125;&#125;')
},
})
// Restore the escaping again.
.replaceAll(/&lt;([/]?[0-9])&gt;/g, '<$1>')
)
}
module.exports = { sanitize }