0
0
mirror of https://github.com/twbs/bootstrap.git synced 2024-11-29 11:24:18 +01:00

Sanitizer: fix logic and add a test. (#35133)

This was broken in 2596c97 inadvertently.
Added a test so that we don't hit this in the future.
This commit is contained in:
XhmikosR 2021-10-07 17:48:36 +03:00 committed by GitHub
parent 9ff87f5f0e
commit 64e13162fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 1 deletions

View File

@ -45,7 +45,7 @@ const allowedAttribute = (attribute, allowedAttributeList) => {
// Check if a regular expression validates the attribute.
return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)
.every(regex => regex.test(attributeName))
.some(regex => regex.test(attributeName))
}
export const DefaultAllowlist = {

View File

@ -23,6 +23,31 @@ describe('Sanitizer', () => {
expect(result).not.toContain('href="javascript:alert(7)')
})
it('should sanitize template and work with multiple regex', () => {
const template = [
'<div>',
' <a href="javascript:alert(7)" aria-label="This is a link" data-foo="bar">Click me</a>',
' <span>Some content</span>',
'</div>'
].join('')
const myDefaultAllowList = DefaultAllowlist
// With the default allow list
let result = sanitizeHtml(template, myDefaultAllowList, null)
// `data-foo` won't be present
expect(result).not.toContain('data-foo="bar"')
// Add the following regex too
myDefaultAllowList['*'].push(/^data-foo/)
result = sanitizeHtml(template, myDefaultAllowList, null)
expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list
expect(result).toContain('aria-label="This is a link"') // This is in the default list
expect(result).toContain('data-foo="bar"') // We explicitly allow this
})
it('should allow aria attributes and safe attributes', () => {
const template = [
'<div aria-pressed="true">',