diff options
| author | XhmikosR <xhmikosr@gmail.com> | 2021-10-07 17:48:36 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-07 17:48:36 +0300 |
| commit | 64e13162faa692aa2d12071ad9a14a3ac1b08a6f (patch) | |
| tree | ba54284addb11feecc37d7e00af42528868c2c7a | |
| parent | 9ff87f5f0ef9d35af922ee2833deb875908686d6 (diff) | |
Sanitizer: fix logic and add a test. (#35133)
This was broken in 2596c97 inadvertently.
Added a test so that we don't hit this in the future.
| -rw-r--r-- | js/src/util/sanitizer.js | 2 | ||||
| -rw-r--r-- | js/tests/unit/util/sanitizer.spec.js | 25 |
2 files changed, 26 insertions, 1 deletions
diff --git a/js/src/util/sanitizer.js b/js/src/util/sanitizer.js index f5a8287cd0..232416f3ab 100644 --- a/js/src/util/sanitizer.js +++ b/js/src/util/sanitizer.js @@ -45,7 +45,7 @@ const allowedAttribute = (attribute, allowedAttributeList) => { // Check if a regular expression validates the attribute. return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp) - .every(regex => regex.test(attributeName)) + .some(regex => regex.test(attributeName)) } export const DefaultAllowlist = { diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js index 7379d221f4..28d624c878 100644 --- a/js/tests/unit/util/sanitizer.spec.js +++ b/js/tests/unit/util/sanitizer.spec.js @@ -23,6 +23,31 @@ describe('Sanitizer', () => { expect(result).not.toContain('href="javascript:alert(7)') }) + it('should sanitize template and work with multiple regex', () => { + const template = [ + '<div>', + ' <a href="javascript:alert(7)" aria-label="This is a link" data-foo="bar">Click me</a>', + ' <span>Some content</span>', + '</div>' + ].join('') + + const myDefaultAllowList = DefaultAllowlist + // With the default allow list + let result = sanitizeHtml(template, myDefaultAllowList, null) + + // `data-foo` won't be present + expect(result).not.toContain('data-foo="bar"') + + // Add the following regex too + myDefaultAllowList['*'].push(/^data-foo/) + + result = sanitizeHtml(template, myDefaultAllowList, null) + + expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list + expect(result).toContain('aria-label="This is a link"') // This is in the default list + expect(result).toContain('data-foo="bar"') // We explicitly allow this + }) + it('should allow aria attributes and safe attributes', () => { const template = [ '<div aria-pressed="true">', |