Merge pull request #73 from curbengh/sanitize

fix(parseFeed): sanitise input
hexojs · Sep 2, 2020 · 3930073 · 3930073
2 parents da501b9 + 4996362
commit 3930073
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/lib/feed.js b/lib/feed.js
@@ -45,7 +45,9 @@ const detectFeedType = async xml => {
   throw new Error('unknown feed type');
 };
 
-const parseFeed = async xml => {
+const parseFeed = async input => {
+  // eslint-disable-next-line no-control-regex
+  const xml = input.replace(/[\x00-\x09|\x0b-\x0c|\x0e-\x1f]/g, '');
   const type = await detectFeedType(xml);
   const output = await transform(xml, template[type]);
   return output;

diff --git a/test/index.js b/test/index.js
@@ -262,4 +262,20 @@ describe('migrator', function() {
 
     posts.length.should.not.eql(expected.items.length);
   });
+
+  // hexojs/hexo-migrator-wordpress#105
+  it('sanitize input', async () => {
+    const title = 'foo';
+    const content = 'foo\x00\x11bar';
+    const xml = `<feed><title>test</title>
+    <entry><title>${title}</title><content>${content}</content></entry></feed>`;
+    const path = join(__dirname, 'atom-test.xml');
+    await writeFile(path, xml);
+    await m({ _: [path] });
+
+    const post = await readFile(join(hexo.source_dir, '_posts', slugize(title) + '.md'));
+    post.should.include('foobar');
+
+    await unlink(path);
+  });
 });