@bobmatnyc/ai-code-review
Version:
A TypeScript-based tool for automated code reviews using AI models from Google Gemini, Anthropic Claude, and OpenRouter
83 lines (82 loc) • 3.47 kB
TypeScript
/**
* @fileoverview Content sanitization utilities for preventing XSS attacks.
*
* This module provides sanitization functions to clean user-generated or AI-generated
* content before rendering or storing it. It uses DOMPurify to remove potentially
* malicious HTML, JavaScript, and other harmful content while preserving legitimate
* formatting elements. It also includes utilities for sanitizing filenames to ensure
* they are safe for use in file systems.
*/
/**
* Sanitizes HTML content to prevent Cross-Site Scripting (XSS) attacks.
*
* This function uses DOMPurify to clean HTML content by:
* 1. Allowing only safe HTML tags (h1-h6, p, lists, tables, etc.)
* 2. Allowing only safe attributes (href, class, id, etc.)
* 3. Explicitly forbidding dangerous tags (script, iframe, svg, etc.)
* 4. Explicitly forbidding dangerous attributes (onerror, onclick, etc.)
*
* If sanitization fails for any reason, it returns an empty string for safety.
*
* @param {string} content - The HTML content to sanitize
* @returns {string} Sanitized HTML with potentially dangerous content removed
*
* @example
* const unsafeHtml = '<div>Safe content</div><script>alert("XSS")</script>';
* const safeHtml = sanitizeHtml(unsafeHtml);
* // Returns: "<div>Safe content</div>"
*
* @throws Catches internally and returns empty string if DOMPurify fails
*/
export declare function sanitizeHtml(content: string): string;
/**
* Sanitize Markdown content
* @param content Markdown content to sanitize
* @returns Sanitized Markdown content
*/
export declare function sanitizeMarkdown(content: string): string;
/**
* Sanitize JSON content
* @param content JSON content to sanitize
* @returns Sanitized JSON content
*/
export declare function sanitizeJson(content: string): string;
/**
* Sanitizes content based on its type to prevent security vulnerabilities.
*
* This function acts as a dispatcher that routes the content to the appropriate
* specialized sanitization function based on the content type. It supports
* HTML, Markdown, JSON, and plain text formats, each with type-specific
* sanitization rules.
*
* @param {string} content - The content to sanitize
* @param {('html'|'markdown'|'json'|'text')} [contentType='text'] - The type of content
* @returns {string} Sanitized content safe for rendering or storage
*
* @example
* // Sanitize HTML content
* const safeHtml = sanitizeContent('<script>alert("XSS")</script><p>Hello</p>', 'html');
* // Returns: "<p>Hello</p>"
*
* @example
* // Sanitize Markdown content
* const safeMarkdown = sanitizeContent('# Title\n<script>alert("XSS")</script>', 'markdown');
* // Returns: "# Title\n"
*
* @example
* // Sanitize JSON content
* const safeJson = sanitizeContent('{"key": "value"}', 'json');
* // Returns: '{"key":"value"}'
*/
export declare function sanitizeContent(content: string, contentType?: 'html' | 'markdown' | 'json' | 'text'): string;
/**
* Sanitize a filename to ensure it's safe for use in file systems
*
* This function removes or replaces characters that are not safe for use in filenames
* across different operating systems. It handles null/undefined inputs and preserves
* spaces and non-ASCII characters that are generally safe for modern file systems.
*
* @param filename The filename to sanitize
* @returns A sanitized filename safe for use in file systems
*/
export declare function sanitizeFilename(filename: string | null | undefined): string;