This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Koenig - Pass html card content through sanitiser
refs TryGhost/Ghost#9724 - extract html sanitisation into a Koenig helper `{{sanitise-html}}` (all markdown handling will eventually move into Koenig too) - render sanitised html in the html card
- Loading branch information
1 parent
85dc553
commit e9af153
Showing
5 changed files
with
58 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
/* global html_sanitize */ | ||
import cajaSanitizers from 'ghost-admin/utils/caja-sanitizers'; | ||
import {assign} from '@ember/polyfills'; | ||
import {helper} from '@ember/component/helper'; | ||
import {htmlSafe} from '@ember/string'; | ||
import {isArray} from '@ember/array'; | ||
|
||
export function sanitizeHtml(params, options = {}) { | ||
let html = isArray(params) ? params[0] : params; | ||
|
||
options = assign({replaceJS: true}, options); | ||
|
||
// replace script and iFrame | ||
if (options.replaceJS) { | ||
html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, | ||
'<pre class="js-embed-placeholder">Embedded JavaScript</pre>'); | ||
html = html.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, | ||
'<pre class="iframe-embed-placeholder">Embedded iFrame</pre>'); | ||
} | ||
|
||
// sanitize html | ||
html = html_sanitize(html, cajaSanitizers.url, cajaSanitizers.id); | ||
|
||
return htmlSafe(html); | ||
} | ||
|
||
export default helper(sanitizeHtml); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export {default, sanitizeHtml} from 'koenig-editor/helpers/sanitize-html'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
import hbs from 'htmlbars-inline-precompile'; | ||
import {describe, it} from 'mocha'; | ||
import {expect} from 'chai'; | ||
import {setupComponentTest} from 'ember-mocha'; | ||
|
||
describe('Integration: Helper: sanitize-html', function () { | ||
setupComponentTest('sanitize-html', { | ||
integration: true | ||
}); | ||
|
||
it('renders html', function () { | ||
this.set('inputValue', '<strong>bold</strong>'); | ||
|
||
this.render(hbs`{{sanitize-html inputValue}}`); | ||
|
||
expect(this.$().html().trim()).to.equal('<strong>bold</strong>'); | ||
}); | ||
|
||
it('replaces scripts', function () { | ||
this.set('inputValue', '<script></script>'); | ||
|
||
this.render(hbs`{{sanitize-html inputValue}}`); | ||
|
||
expect(this.$().html().trim()).to.equal('<pre class="js-embed-placeholder">Embedded JavaScript</pre>'); | ||
}); | ||
}); | ||
|