Koenig - Pass html card content through sanitiser

refs https://github.com/TryGhost/Ghost/issues/9724
- extract html sanitisation into a Koenig helper `{{sanitise-html}}` (all markdown handling will eventually move into Koenig too)
- render sanitised html in the html card
This commit is contained in:
Kevin Ansfield 2018-08-09 14:59:03 +01:00
parent 9832414374
commit 359fcb0756
5 changed files with 58 additions and 15 deletions

View File

@ -1,9 +1,8 @@
/* global html_sanitize */
import cajaSanitizers from './caja-sanitizers';
import markdownit from 'npm:markdown-it';
import markdownitFootnote from 'npm:markdown-it-footnote';
import markdownitLazyHeaders from 'npm:markdown-it-lazy-headers';
import markdownitMark from 'npm:markdown-it-mark';
import {sanitizeHtml} from 'koenig-editor/helpers/sanitize-html';
let slugify = function slugify(inputString, usedHeaders) {
let slug = inputString.replace(/[^\w]/g, '').toLowerCase();
@ -62,16 +61,5 @@ export default function formatMarkdown(_markdown, replaceJS = true) {
// convert markdown to HTML
escapedhtml = md.render(markdown);
// replace script and iFrame
if (replaceJS) {
escapedhtml = escapedhtml.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
'<pre class="js-embed-placeholder">Embedded JavaScript</pre>');
escapedhtml = escapedhtml.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
'<pre class="iframe-embed-placeholder">Embedded iFrame</pre>');
}
// sanitize html
escapedhtml = html_sanitize(escapedhtml, cajaSanitizers.url, cajaSanitizers.id);
return escapedhtml;
return sanitizeHtml(escapedhtml, {replaceJS});
}

View File

@ -0,0 +1,27 @@
/* global html_sanitize */
import cajaSanitizers from 'ghost-admin/utils/caja-sanitizers';
import {assign} from '@ember/polyfills';
import {helper} from '@ember/component/helper';
import {htmlSafe} from '@ember/string';
import {isArray} from '@ember/array';
export function sanitizeHtml(params, options = {}) {
let html = isArray(params) ? params[0] : params;
options = assign({replaceJS: true}, options);
// replace script and iFrame
if (options.replaceJS) {
html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
'<pre class="js-embed-placeholder">Embedded JavaScript</pre>');
html = html.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
'<pre class="iframe-embed-placeholder">Embedded iFrame</pre>');
}
// sanitize html
html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id);
return htmlSafe(html);
}
export default helper(sanitizeHtml);

View File

@ -19,7 +19,7 @@
update=(action "updateHtml")
}}
{{else}}
<div class="koenig-card-html-rendered">{{{payload.html}}}</div>
<div class="koenig-card-html-rendered">{{sanitize-html payload.html}}</div>
<div class="koenig-card-click-overlay"></div>
{{/if}}
{{/koenig-card}}

View File

@ -0,0 +1 @@
export {default, sanitizeHtml} from 'koenig-editor/helpers/sanitize-html';

View File

@ -0,0 +1,27 @@
import hbs from 'htmlbars-inline-precompile';
import {describe, it} from 'mocha';
import {expect} from 'chai';
import {setupComponentTest} from 'ember-mocha';
describe('Integration: Helper: sanitize-html', function () {
setupComponentTest('sanitize-html', {
integration: true
});
it('renders html', function () {
this.set('inputValue', '<strong>bold</strong>');
this.render(hbs`{{sanitize-html inputValue}}`);
expect(this.$().html().trim()).to.equal('<strong>bold</strong>');
});
it('replaces scripts', function () {
this.set('inputValue', '<script></script>');
this.render(hbs`{{sanitize-html inputValue}}`);
expect(this.$().html().trim()).to.equal('<pre class="js-embed-placeholder">Embedded JavaScript</pre>');
});
});