diff options
author | Patrick H. Lauke <redux@splintered.co.uk> | 2020-06-19 11:31:37 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-19 11:31:37 +0300 |
commit | edbcc401c28e539ecdcf3c49c7ef2a74d0c28ebd (patch) | |
tree | a1e408cd3c48309c49fc06d7dbb52d96ae02fae0 /js | |
parent | 7acf586d3efa9b2bad6a93d81c7cdc3560de6cdf (diff) |
Change whitelist to allowlist (#31066)
Co-authored-by: XhmikosR <xhmikosr@gmail.com>
Co-authored-by: Mark Otto <markd.otto@gmail.com>
Diffstat (limited to 'js')
-rw-r--r-- | js/src/tooltip.js | 12 | ||||
-rw-r--r-- | js/src/util/sanitizer.js | 12 | ||||
-rw-r--r-- | js/tests/unit/util/sanitizer.spec.js | 14 |
3 files changed, 19 insertions, 19 deletions
diff --git a/js/src/tooltip.js b/js/src/tooltip.js index 64011796de..33c0f6eec2 100644 --- a/js/src/tooltip.js +++ b/js/src/tooltip.js @@ -17,7 +17,7 @@ import { typeCheckConfig } from './util/index' import { - DefaultWhitelist, + DefaultAllowlist, sanitizeHtml } from './util/sanitizer' import Data from './dom/data' @@ -38,7 +38,7 @@ const DATA_KEY = 'bs.tooltip' const EVENT_KEY = `.${DATA_KEY}` const CLASS_PREFIX = 'bs-tooltip' const BSCLS_PREFIX_REGEX = new RegExp(`(^|\\s)${CLASS_PREFIX}\\S+`, 'g') -const DISALLOWED_ATTRIBUTES = ['sanitize', 'whiteList', 'sanitizeFn'] +const DISALLOWED_ATTRIBUTES = ['sanitize', 'allowList', 'sanitizeFn'] const DefaultType = { animation: 'boolean', @@ -55,7 +55,7 @@ const DefaultType = { boundary: '(string|element)', sanitize: 'boolean', sanitizeFn: '(null|function)', - whiteList: 'object', + allowList: 'object', popperConfig: '(null|object)' } @@ -84,7 +84,7 @@ const Default = { boundary: 'scrollParent', sanitize: true, sanitizeFn: null, - whiteList: DefaultWhitelist, + allowList: DefaultAllowlist, popperConfig: null } @@ -428,7 +428,7 @@ class Tooltip { if (this.config.html) { if (this.config.sanitize) { - content = sanitizeHtml(content, this.config.whiteList, this.config.sanitizeFn) + content = sanitizeHtml(content, this.config.allowList, this.config.sanitizeFn) } element.innerHTML = content @@ -711,7 +711,7 @@ class Tooltip { typeCheckConfig(NAME, config, this.constructor.DefaultType) if (config.sanitize) { - config.template = sanitizeHtml(config.template, config.whiteList, config.sanitizeFn) + config.template = sanitizeHtml(config.template, config.allowList, config.sanitizeFn) } return config diff --git a/js/src/util/sanitizer.js b/js/src/util/sanitizer.js index e1ec36a400..27bdf6cb1f 100644 --- a/js/src/util/sanitizer.js +++ b/js/src/util/sanitizer.js @@ -55,7 +55,7 @@ const allowedAttribute = (attr, allowedAttributeList) => { return false } -export const DefaultWhitelist = { +export const DefaultAllowlist = { // Global attributes allowed on any supplied element below. '*': ['class', 'dir', 'id', 'lang', 'role', ARIA_ATTRIBUTE_PATTERN], a: ['target', 'href', 'title', 'rel'], @@ -89,7 +89,7 @@ export const DefaultWhitelist = { ul: [] } -export function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) { +export function sanitizeHtml(unsafeHtml, allowList, sanitizeFn) { if (!unsafeHtml.length) { return unsafeHtml } @@ -100,24 +100,24 @@ export function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) { const domParser = new window.DOMParser() const createdDocument = domParser.parseFromString(unsafeHtml, 'text/html') - const whitelistKeys = Object.keys(whiteList) + const allowlistKeys = Object.keys(allowList) const elements = [].concat(...createdDocument.body.querySelectorAll('*')) for (let i = 0, len = elements.length; i < len; i++) { const el = elements[i] const elName = el.nodeName.toLowerCase() - if (whitelistKeys.indexOf(elName) === -1) { + if (allowlistKeys.indexOf(elName) === -1) { el.parentNode.removeChild(el) continue } const attributeList = [].concat(...el.attributes) - const whitelistedAttributes = [].concat(whiteList['*'] || [], whiteList[elName] || []) + const allowedAttributes = [].concat(allowList['*'] || [], allowList[elName] || []) attributeList.forEach(attr => { - if (!allowedAttribute(attr, whitelistedAttributes)) { + if (!allowedAttribute(attr, allowedAttributes)) { el.removeAttribute(attr.nodeName) } }) diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js index c4259e7fd6..dcfad8436f 100644 --- a/js/tests/unit/util/sanitizer.spec.js +++ b/js/tests/unit/util/sanitizer.spec.js @@ -1,11 +1,11 @@ -import { DefaultWhitelist, sanitizeHtml } from '../../../src/util/sanitizer' +import { DefaultAllowlist, sanitizeHtml } from '../../../src/util/sanitizer' describe('Sanitizer', () => { describe('sanitizeHtml', () => { it('should return the same on empty string', () => { const empty = '' - const result = sanitizeHtml(empty, DefaultWhitelist, null) + const result = sanitizeHtml(empty, DefaultAllowlist, null) expect(result).toEqual(empty) }) @@ -18,7 +18,7 @@ describe('Sanitizer', () => { '</div>' ].join('') - const result = sanitizeHtml(template, DefaultWhitelist, null) + const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result.indexOf('script') === -1).toEqual(true) }) @@ -30,20 +30,20 @@ describe('Sanitizer', () => { '</div>' ].join('') - const result = sanitizeHtml(template, DefaultWhitelist, null) + const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result.indexOf('aria-pressed') !== -1).toEqual(true) expect(result.indexOf('class="test"') !== -1).toEqual(true) }) - it('should remove not whitelist tags', () => { + it('should remove tags not in allowlist', () => { const template = [ '<div>', ' <script>alert(7)</script>', '</div>' ].join('') - const result = sanitizeHtml(template, DefaultWhitelist, null) + const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result.indexOf('<script>') === -1).toEqual(true) }) @@ -61,7 +61,7 @@ describe('Sanitizer', () => { spyOn(DOMParser.prototype, 'parseFromString') - const result = sanitizeHtml(template, DefaultWhitelist, mySanitize) + const result = sanitizeHtml(template, DefaultAllowlist, mySanitize) expect(result).toEqual(template) expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled() |