UNPKG

@nanggo/social-preview

Version:

Generate beautiful social media preview images from any URL

github.com/nanggo/social-preview-generator

nanggo/social-preview-generator

76 lines (75 loc) 3.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.validateTextInput = validateTextInput; exports.sanitizeControlChars = sanitizeControlChars; exports.sanitizeText = sanitizeText; const types_1 = require("../../types"); const security_1 = require("../../constants/security"); /** * Validate text input to prevent injection attacks. */ function validateTextInput(text, fieldName = 'text') { if (typeof text !== 'string') { throw new types_1.PreviewGeneratorError(types_1.ErrorType.VALIDATION_ERROR, `${fieldName} must be a string`); } // Length check - reasonable limits for text content if (text.length > security_1.MAX_TEXT_LENGTH) { throw new types_1.PreviewGeneratorError(types_1.ErrorType.VALIDATION_ERROR, `${fieldName} exceeds maximum length of ${security_1.MAX_TEXT_LENGTH} characters`); } // Remove control characters and dangerous Unicode sequences const sanitizedText = sanitizeControlChars(text); // Security check for dangerous patterns if (!isSafeTextInput(sanitizedText)) { throw new types_1.PreviewGeneratorError(types_1.ErrorType.VALIDATION_ERROR, `${fieldName} contains potentially dangerous characters or patterns`); } return sanitizedText; } /** * Sanitize control characters and dangerous Unicode sequences. * Centralizes all control character filtering logic. */ function sanitizeControlChars(text) { let sanitized = text // ASCII control characters (except tab \t, newline \n, carriage return \r) .replace(security_1.ASCII_CONTROL_CHARS, '') // Extended ASCII control characters .replace(security_1.EXTENDED_ASCII_CONTROL_CHARS, ''); // Unicode Bidirectional Text Control Characters (Bidi attacks) Object.values(security_1.BIDI_CONTROL_CHARS).forEach((pattern) => { sanitized = sanitized.replace(pattern, ''); }); // Zero-width and formatting characters Object.values(security_1.ZERO_WIDTH_CHARS).forEach((pattern) => { sanitized = sanitized.replace(pattern, ''); }); // Other dangerous Unicode characters Object.values(security_1.DANGEROUS_UNICODE_CHARS).forEach((pattern) => { sanitized = sanitized.replace(pattern, ''); }); return sanitized.trim(); } /** * Validate and sanitize text content. */ function sanitizeText(text) { const validated = validateTextInput(text, 'text'); // Control character sanitization is now centralized in validateTextInput return validated; } function isSafeTextInput(text) { // Check against dangerous HTML/Script patterns for (const pattern of security_1.DANGEROUS_HTML_PATTERNS) { // Create new RegExp to avoid global flag state issues const testPattern = new RegExp(pattern.source, pattern.flags); if (testPattern.test(text)) { return false; } } // Check for control characters that shouldn't be in normal text // Create new RegExp instance to avoid state issues const controlCharsPattern = new RegExp(security_1.ASCII_CONTROL_CHARS.source, security_1.ASCII_CONTROL_CHARS.flags); if (controlCharsPattern.test(text)) { return false; } return true; }