UNPKG

we-core

Version:

We.js is a node.js framework for build real time applications, sites or blogs!

github.com/wejs/we-core

wejs/we-plugin-core

133 lines (120 loc) 3.35 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
/** * We.js sanitizer to sanitize model and text variable data * */ var sanitizeHtml = require('sanitize-html'); var Sanitizer = function(we) { this.we = we; var sanitizer = this; // after define all models add term field hooks in models how have terms we.hooks.on('we:models:set:joins', function (we, done) { var models = we.db.models; for (var modelName in models) { // set sanitizer hook models[modelName].addHook('beforeCreate', 'sanitizeBeforeSv', sanitizer.DBBeforeUpdateAndCreateHook); models[modelName].addHook('beforeUpdate', 'sanitizeBeforeUP', sanitizer.DBBeforeUpdateAndCreateHook); } done(); }); // TODO move this to we.js config this.config = { allowedTags: [ // text blocks 'p', 'pre', 'code', 'blockquote', 'br', 'a', 'img', 'hr', 'mention', 'iframe', 'div', // text format 'b', 'i', 'em', 'strong', 'u', 'h1', 'h2', 'h3', 'h4', 'h5','h6', // list 'ul', 'ol', 'nl', 'li' ], selfClosing: [ 'br', 'img', 'hr' ], allowedAttributes: { 'span': [ 'style' ], 'div': [ 'style' ], 'i': ['class'], 'a': ['href', 'alt', 'target', 'type'], 'img': ['src', 'alt', 'style', 'class', 'data-filename', 'style', 'width', 'height'], 'iframe': ['src', 'width', 'height', 'frameborder'], 'mention': ['data-user-id'] } }; /** * sequelize hook handler to sanitize all text fields with we sanitizer * * @param {record} r * @param {options} opts * @param {Function} done */ this.DBBeforeUpdateAndCreateHook = function DBBeforeUpdateAndCreateHook(r, opts, done) { sanitizer.sanitizeModelAttrs(r, this.name); done(null, r); } }; /** * Sanitize one text html * @param {String} dirty html to sanitize * @return {String} sanitized html */ Sanitizer.prototype.sanitize = function sanitize (dirty) { return sanitizeHtml(dirty, this.config); }; /** * Sanitize all text attrs in one object * * @param {Object} obj sanitize obj attrs * @return {Object} return obj */ Sanitizer.prototype.sanitizeAllAttr = function sanitizeAllAttr(obj){ for (var prop in obj) { if (prop !== 'id') { if (typeof obj[prop] == 'string') { obj[prop] = this.sanitize(obj[prop]); } } } return obj; }; /** * Sanitize all sequelize text record attrs * * @param {Object} record sequelize record to sanitize * @param {String} modelName model name * @return {Object} return obj */ Sanitizer.prototype.sanitizeModelAttrs = function sanitizeModelAttrs(record, modelName) { var db = this.we.db; for (var prop in record.dataValues) { if (prop !== 'id') { if (typeof record.dataValues[prop] == 'string') { // if dont have value if (!record.getDataValue(prop)) continue; // check skip cfg, skipSanitizer if ( !db.modelsConfigs[modelName] || !db.modelsConfigs[modelName].definition[prop] || db.modelsConfigs[modelName].definition[prop].skipSanitizer ) { continue; } // sanitize this value record.setDataValue(prop, this.sanitize(record.getDataValue(prop))); } } } return record; }; module.exports = Sanitizer;