UNPKG

@adobe/helix-pipeline

Version:

This project provides helper functions and default implementations for creating Hypermedia Processing Pipelines.

github.com/adobe/helix-pipeline

adobe/helix-pipeline

73 lines (63 loc) 2.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
/* * Copyright 2019 Adobe. All rights reserved. * This file is licensed to you under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. You may obtain a copy * of the License at http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software distributed under * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS * OF ANY KIND, either express or implied. See the License for the specific language * governing permissions and limitations under the License. */ import createDOMPurify from 'dompurify'; const helixSanitizationConfig = { // Allowing all ESI tags, see: https://www.w3.org/TR/esi-lang ADD_TAGS: [ 'esi:try', 'esi:attempt', 'esi:except', 'esi:choose', 'esi:when', 'esi:otherwise', 'esi:include', 'esi:inline', 'esi:remove', 'esi:vars', 'esi:comment', ], RETURN_DOM: true, }; const CUSTOM_NAME_REGEX = /^\w+-\w+$/; /** * Allow custom elements to be retained by the sanitization. * * @param {Object} DOMPurify the DOMPurify instance */ function allowCustomElements(DOMPurify) { DOMPurify.addHook('uponSanitizeElement', (node, data) => { if (node.nodeName && node.nodeName.match(CUSTOM_NAME_REGEX)) { data.allowedTags[data.tagName] = true; // eslint-disable-line no-param-reassign } }); } /** * Allow custom attributes to be retained by the sanitization. * * @param {Object} DOMPurify the DOMPurify instance */ function allowCustomAttributes(DOMPurify) { DOMPurify.addHook('uponSanitizeAttribute', (node, data) => { if (data.attrName && data.attrName.match(CUSTOM_NAME_REGEX)) { data.allowedAttributes[data.attrName] = true; // eslint-disable-line no-param-reassign } }); } export default function sanitize({ content }, { logger }) { logger.debug('Sanitizing content body to avoid XSS injections.'); const { window, body } = content.document; const DOMPurify = createDOMPurify(window); allowCustomElements(DOMPurify); allowCustomAttributes(DOMPurify); const sanitizedBody = DOMPurify.sanitize(body, helixSanitizationConfig); content.document.body = sanitizedBody; }