mirror of
https://github.com/twbs/bootstrap.git
synced 2024-11-29 11:24:18 +01:00
Sanitizer: fix logic and add a test. (#35133)
This was broken in 2596c97
inadvertently.
Added a test so that we don't hit this in the future.
This commit is contained in:
parent
9ff87f5f0e
commit
64e13162fa
@ -45,7 +45,7 @@ const allowedAttribute = (attribute, allowedAttributeList) => {
|
||||
|
||||
// Check if a regular expression validates the attribute.
|
||||
return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)
|
||||
.every(regex => regex.test(attributeName))
|
||||
.some(regex => regex.test(attributeName))
|
||||
}
|
||||
|
||||
export const DefaultAllowlist = {
|
||||
|
@ -23,6 +23,31 @@ describe('Sanitizer', () => {
|
||||
expect(result).not.toContain('href="javascript:alert(7)')
|
||||
})
|
||||
|
||||
it('should sanitize template and work with multiple regex', () => {
|
||||
const template = [
|
||||
'<div>',
|
||||
' <a href="javascript:alert(7)" aria-label="This is a link" data-foo="bar">Click me</a>',
|
||||
' <span>Some content</span>',
|
||||
'</div>'
|
||||
].join('')
|
||||
|
||||
const myDefaultAllowList = DefaultAllowlist
|
||||
// With the default allow list
|
||||
let result = sanitizeHtml(template, myDefaultAllowList, null)
|
||||
|
||||
// `data-foo` won't be present
|
||||
expect(result).not.toContain('data-foo="bar"')
|
||||
|
||||
// Add the following regex too
|
||||
myDefaultAllowList['*'].push(/^data-foo/)
|
||||
|
||||
result = sanitizeHtml(template, myDefaultAllowList, null)
|
||||
|
||||
expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list
|
||||
expect(result).toContain('aria-label="This is a link"') // This is in the default list
|
||||
expect(result).toContain('data-foo="bar"') // We explicitly allow this
|
||||
})
|
||||
|
||||
it('should allow aria attributes and safe attributes', () => {
|
||||
const template = [
|
||||
'<div aria-pressed="true">',
|
||||
|
Loading…
Reference in New Issue
Block a user