UNPKG

@bobmatnyc/ai-code-review

Version:

A TypeScript-based tool for automated code reviews using AI models from Google Gemini, Anthropic Claude, and OpenRouter

83 lines (82 loc) 3.47 kB
/** * @fileoverview Content sanitization utilities for preventing XSS attacks. * * This module provides sanitization functions to clean user-generated or AI-generated * content before rendering or storing it. It uses DOMPurify to remove potentially * malicious HTML, JavaScript, and other harmful content while preserving legitimate * formatting elements. It also includes utilities for sanitizing filenames to ensure * they are safe for use in file systems. */ /** * Sanitizes HTML content to prevent Cross-Site Scripting (XSS) attacks. * * This function uses DOMPurify to clean HTML content by: * 1. Allowing only safe HTML tags (h1-h6, p, lists, tables, etc.) * 2. Allowing only safe attributes (href, class, id, etc.) * 3. Explicitly forbidding dangerous tags (script, iframe, svg, etc.) * 4. Explicitly forbidding dangerous attributes (onerror, onclick, etc.) * * If sanitization fails for any reason, it returns an empty string for safety. * * @param {string} content - The HTML content to sanitize * @returns {string} Sanitized HTML with potentially dangerous content removed * * @example * const unsafeHtml = '<div>Safe content</div><script>alert("XSS")</script>'; * const safeHtml = sanitizeHtml(unsafeHtml); * // Returns: "<div>Safe content</div>" * * @throws Catches internally and returns empty string if DOMPurify fails */ export declare function sanitizeHtml(content: string): string; /** * Sanitize Markdown content * @param content Markdown content to sanitize * @returns Sanitized Markdown content */ export declare function sanitizeMarkdown(content: string): string; /** * Sanitize JSON content * @param content JSON content to sanitize * @returns Sanitized JSON content */ export declare function sanitizeJson(content: string): string; /** * Sanitizes content based on its type to prevent security vulnerabilities. * * This function acts as a dispatcher that routes the content to the appropriate * specialized sanitization function based on the content type. It supports * HTML, Markdown, JSON, and plain text formats, each with type-specific * sanitization rules. * * @param {string} content - The content to sanitize * @param {('html'|'markdown'|'json'|'text')} [contentType='text'] - The type of content * @returns {string} Sanitized content safe for rendering or storage * * @example * // Sanitize HTML content * const safeHtml = sanitizeContent('<script>alert("XSS")</script><p>Hello</p>', 'html'); * // Returns: "<p>Hello</p>" * * @example * // Sanitize Markdown content * const safeMarkdown = sanitizeContent('# Title\n<script>alert("XSS")</script>', 'markdown'); * // Returns: "# Title\n" * * @example * // Sanitize JSON content * const safeJson = sanitizeContent('{"key": "value"}', 'json'); * // Returns: '{"key":"value"}' */ export declare function sanitizeContent(content: string, contentType?: 'html' | 'markdown' | 'json' | 'text'): string; /** * Sanitize a filename to ensure it's safe for use in file systems * * This function removes or replaces characters that are not safe for use in filenames * across different operating systems. It handles null/undefined inputs and preserves * spaces and non-ASCII characters that are generally safe for modern file systems. * * @param filename The filename to sanitize * @returns A sanitized filename safe for use in file systems */ export declare function sanitizeFilename(filename: string | null | undefined): string;