UNPKG

ember-css-url

Version:

A helper for safely embedding URLs in style properties

github.com/ef4/ember-css-url

ef4/ember-css-url

33 lines (22 loc) 921 B
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import { htmlSafe } from '@ember/template'; function cssUrl(propertyName, url) { if (!/^[-a-zA-Z]+$/.test(propertyName)) { throw new Error(`Potentially unsafe property name ${propertyName}`); } if (!url) { return; } // Step 1: Make sure there are no un-encoded double quotes let encodedURL = url.replace(/"/g, '%22'); // Step 2: if there is a protocol present, whitelist only http and // https. This prevents shenanigans like "javascript://" URLs (which // certain older browsers may execute). let m = /^([^:]+):/.exec(encodedURL); if (m) { let proto = m[1].toLowerCase(); if (proto !== 'http' && proto !== 'https') { throw new Error(`disallowed protocol in css url: ${url}`); } } // Step 3: Use our own double quotes, which the url cannot break out // of due to Step 1. return htmlSafe(`${propertyName}: url("${encodedURL}")`); } export { cssUrl as default };