UNPKG

@ordojs/security

Version:

Security package for OrdoJS with XSS, CSRF, and injection protection

130 lines (112 loc) 3.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import createDOMPurify from 'dompurify'; import { JSDOM } from 'jsdom'; const window = new JSDOM('').window; const DOMPurify = createDOMPurify(window as any); /** * Configuration options for HTML sanitization */ export interface SanitizerOptions { /** * List of allowed HTML tags * @default ['a', 'b', 'br', 'code', 'div', 'em', 'i', 'li', 'ol', 'p', 'pre', 'span', 'strong', 'ul'] */ allowedTags?: string[]; /** * List of allowed HTML attributes * @default ['href', 'target', 'class', 'id', 'style'] */ allowedAttributes?: string[] | Record<string, string[]>; /** * Whether to allow data attributes (data-*) * @default false */ allowDataAttributes?: boolean; /** * Whether to strip all HTML and return text only * @default false */ stripAllTags?: boolean; } /** * Default sanitizer options with safe defaults */ const DEFAULT_OPTIONS: SanitizerOptions = { allowedTags: ['a', 'b', 'br', 'code', 'div', 'em', 'i', 'li', 'ol', 'p', 'pre', 'span', 'strong', 'ul'], allowedAttributes: ['href', 'target', 'class', 'id', 'style'], allowDataAttributes: false, stripAllTags: false, }; /** * HTML Sanitizer class for preventing XSS attacks * Uses DOMPurify under the hood with configurable options */ export class HtmlSanitizer { private options: SanitizerOptions; /** * Create a new HtmlSanitizer instance * @param options Sanitizer configuration options */ constructor(options: SanitizerOptions = {}) { this.options = { ...DEFAULT_OPTIONS, ...options }; } /** * Sanitize HTML content to prevent XSS attacks * @param html HTML content to sanitize * @returns Sanitized HTML */ sanitize(html: string): string { if (this.options.stripAllTags) { return DOMPurify.sanitize(html, { ALLOWED_TAGS: [] }) as unknown as string; } const config: any = { ALLOWED_TAGS: this.options.allowedTags, ALLOW_DATA_ATTR: this.options.allowDataAttributes, }; // Handle allowedAttributes which can be string[] or Record<string, string[]> if (Array.isArray(this.options.allowedAttributes)) { config.ALLOWED_ATTR = this.options.allowedAttributes; } else if (this.options.allowedAttributes) { config.ALLOWED_ATTR = this.options.allowedAttributes; } return DOMPurify.sanitize(html, config) as unknown as string; } /** * Update sanitizer options * @param options New sanitizer options */ updateOptions(options: Partial<SanitizerOptions>): void { this.options = { ...this.options, ...options }; } /** * Create a sanitizer with strict settings (minimal allowed tags) * @returns A new HtmlSanitizer instance with strict settings */ static createStrict(): HtmlSanitizer { return new HtmlSanitizer({ allowedTags: ['b', 'em', 'i', 'strong', 'span'], allowedAttributes: ['class'], allowDataAttributes: false, }); } /** * Create a sanitizer that strips all HTML tags * @returns A new HtmlSanitizer instance that strips all HTML */ static createTextOnly(): HtmlSanitizer { return new HtmlSanitizer({ stripAllTags: true, }); } } /** * Create a default HTML sanitizer instance */ export const defaultSanitizer = new HtmlSanitizer(); /** * Sanitize HTML content using the default sanitizer * @param html HTML content to sanitize * @returns Sanitized HTML */ export function sanitizeHtml(html: string): string { return defaultSanitizer.sanitize(html); }