UNPKG

hast-util-sanitize/lib/schema.js

Version:

4.57 kBJavaScriptView Raw

1// Couple of ARIA attributes allowed in several, but not all, places.
2const aria = ['ariaDescribedBy', 'ariaLabel', 'ariaLabelledBy']
3
4/**
* Default schema.
*
* Follows GitHub style sanitation.
*
* @type {import('./index.js').Schema}
*/
11export const defaultSchema = {
ancestors: {
  tbody: ['table'],
  td: ['table'],
  th: ['table'],
  thead: ['table'],
  tfoot: ['table'],
  tr: ['table']
},
attributes: {
  a: [
    ...aria,
    // Note: these 3 are used by GFM footnotes, they do work on all links.
    'dataFootnoteBackref',
    'dataFootnoteRef',
    ['className', 'data-footnote-backref'],
    'href'
  ],
  blockquote: ['cite'],
  // Note: this class is not normally allowed by GH, when manually writing
  // `code` as HTML in markdown, they adds it some other way.
  // We can’t do that, so we have to allow it.
  code: [['className', /^language-./]],
  del: ['cite'],
  div: ['itemScope', 'itemType'],
  dl: [...aria],
  // Note: these 2 are used by GFM footnotes, they *sometimes* work.
  h2: [
    ['id', 'footnote-label'],
    ['className', 'sr-only']
  ],
  img: [...aria, 'longDesc', 'src'],
  // Note: `input` is not normally allowed by GH, when manually writing
  // it in markdown, they add it from tasklists some other way.
  // We can’t do that, so we have to allow it.
  input: [
    ['disabled', true],
    ['type', 'checkbox']
  ],
  ins: ['cite'],
  // Note: this class is not normally allowed by GH, when manually writing
  // `li` as HTML in markdown, they adds it some other way.
  // We can’t do that, so we have to allow it.
  li: [['className', 'task-list-item']],
  // Note: this class is not normally allowed by GH, when manually writing
  // `ol` as HTML in markdown, they adds it some other way.
  // We can’t do that, so we have to allow it.
  ol: [...aria, ['className', 'contains-task-list']],
  q: ['cite'],
  section: ['dataFootnotes', ['className', 'footnotes']],
  source: ['srcSet'],
  summary: [...aria],
  table: [...aria],
  // Note: this class is not normally allowed by GH, when manually writing
  // `ol` as HTML in markdown, they adds it some other way.
  // We can’t do that, so we have to allow it.
  ul: [...aria, ['className', 'contains-task-list']],
  '*': [
    'abbr',
    'accept',
    'acceptCharset',
    'accessKey',
    'action',
    'align',
    'alt',
    'axis',
    'border',
    'cellPadding',
    'cellSpacing',
    'char',
    'charOff',
    'charSet',
    'checked',
    'clear',
    'colSpan',
    'color',
    'cols',
    'compact',
    'coords',
    'dateTime',
    'dir',
    'disabled',
    'encType',
    'frame',
    'hSpace',
    'headers',
    'height',
    'hrefLang',
    'htmlFor',
    'id',
    'isMap',
    'itemProp',
    'label',
    'lang',
    'maxLength',
    'media',
    'method',
    'multiple',
    'name',
    'noHref',
    'noShade',
    'noWrap',
    'open',
    'prompt',
    'readOnly',
    'rel',
    'rev',
    'rowSpan',
    'rows',
    'rules',
    'scope',
    'selected',
    'shape',
    'size',
    'span',
    'start',
    'summary',
    'tabIndex',
    'target',
    'title',
    'useMap',
    'vAlign',
    'value',
    'width'
  ]
},
clobber: ['ariaDescribedBy', 'ariaLabelledBy', 'id', 'name'],
clobberPrefix: 'user-content-',
protocols: {
  cite: ['http', 'https'],
  href: ['http', 'https', 'irc', 'ircs', 'mailto', 'xmpp'],
  longDesc: ['http', 'https'],
  src: ['http', 'https']
},
required: {
  input: {disabled: true, type: 'checkbox'}
},
strip: ['script'],
tagNames: [
  'a',
  'b',
  'blockquote',
  'br',
  'code',
  'dd',
  'del',
  'details',
  'div',
  'dl',
  'dt',
  'em',
  'h1',
  'h2',
  'h3',
  'h4',
  'h5',
  'h6',
  'hr',
  'i',
  'img',
  // Note: `input` is not normally allowed by GH, when manually writing
  // it in markdown, they add it from tasklists some other way.
  // We can’t do that, so we have to allow it.
  'input',
  'ins',
  'kbd',
  'li',
  'ol',
  'p',
  'picture',
  'pre',
  'q',
  'rp',
  'rt',
  'ruby',
  's',
  'samp',
  'section',
  'source',
  'span',
  'strike',
  'strong',
  'sub',
  'summary',
  'sup',
  'table',
  'tbody',
  'td',
  'tfoot',
  'th',
  'thead',
  'tr',
  'tt',
  'ul',
  'var'
]
207}

1	`// Couple of ARIA attributes allowed in several, but not all, places.`
2	`const aria = ['ariaDescribedBy', 'ariaLabel', 'ariaLabelledBy']`
3
4	`/**`
5	`* Default schema.`
6	`*`
7	`* Follows GitHub style sanitation.`
8	`*`
9	`* @type {import('./index.js').Schema}`
10	`*/`
11	`export const defaultSchema = {`
12	`ancestors: {`
13	`tbody: ['table'],`
14	`td: ['table'],`
15	`th: ['table'],`
16	`thead: ['table'],`
17	`tfoot: ['table'],`
18	`tr: ['table']`
19	`},`
20	`attributes: {`
21	`a: [`
22	`...aria,`
23	`// Note: these 3 are used by GFM footnotes, they do work on all links.`
24	`'dataFootnoteBackref',`
25	`'dataFootnoteRef',`
26	`['className', 'data-footnote-backref'],`
27	`'href'`
28	`],`
29	`blockquote: ['cite'],`
30	`// Note: this class is not normally allowed by GH, when manually writing`
31	// `code` as HTML in markdown, they adds it some other way.
32	`// We can’t do that, so we have to allow it.`
33	`code: [['className', /^language-./]],`
34	`del: ['cite'],`
35	`div: ['itemScope', 'itemType'],`
36	`dl: [...aria],`
37	`// Note: these 2 are used by GFM footnotes, they sometimes work.`
38	`h2: [`
39	`['id', 'footnote-label'],`
40	`['className', 'sr-only']`
41	`],`
42	`img: [...aria, 'longDesc', 'src'],`
43	// Note: `input` is not normally allowed by GH, when manually writing
44	`// it in markdown, they add it from tasklists some other way.`
45	`// We can’t do that, so we have to allow it.`
46	`input: [`
47	`['disabled', true],`
48	`['type', 'checkbox']`
49	`],`
50	`ins: ['cite'],`
51	`// Note: this class is not normally allowed by GH, when manually writing`
52	// `li` as HTML in markdown, they adds it some other way.
53	`// We can’t do that, so we have to allow it.`
54	`li: [['className', 'task-list-item']],`
55	`// Note: this class is not normally allowed by GH, when manually writing`
56	// `ol` as HTML in markdown, they adds it some other way.
57	`// We can’t do that, so we have to allow it.`
58	`ol: [...aria, ['className', 'contains-task-list']],`
59	`q: ['cite'],`
60	`section: ['dataFootnotes', ['className', 'footnotes']],`
61	`source: ['srcSet'],`
62	`summary: [...aria],`
63	`table: [...aria],`
64	`// Note: this class is not normally allowed by GH, when manually writing`
65	// `ol` as HTML in markdown, they adds it some other way.
66	`// We can’t do that, so we have to allow it.`
67	`ul: [...aria, ['className', 'contains-task-list']],`
68	`'*': [`
69	`'abbr',`
70	`'accept',`
71	`'acceptCharset',`
72	`'accessKey',`
73	`'action',`
74	`'align',`
75	`'alt',`
76	`'axis',`
77	`'border',`
78	`'cellPadding',`
79	`'cellSpacing',`
80	`'char',`
81	`'charOff',`
82	`'charSet',`
83	`'checked',`
84	`'clear',`
85	`'colSpan',`
86	`'color',`
87	`'cols',`
88	`'compact',`
89	`'coords',`
90	`'dateTime',`
91	`'dir',`
92	`'disabled',`
93	`'encType',`
94	`'frame',`
95	`'hSpace',`
96	`'headers',`
97	`'height',`
98	`'hrefLang',`
99	`'htmlFor',`
100	`'id',`
101	`'isMap',`
102	`'itemProp',`
103	`'label',`
104	`'lang',`
105	`'maxLength',`
106	`'media',`
107	`'method',`
108	`'multiple',`
109	`'name',`
110	`'noHref',`
111	`'noShade',`
112	`'noWrap',`
113	`'open',`
114	`'prompt',`
115	`'readOnly',`
116	`'rel',`
117	`'rev',`
118	`'rowSpan',`
119	`'rows',`
120	`'rules',`
121	`'scope',`
122	`'selected',`
123	`'shape',`
124	`'size',`
125	`'span',`
126	`'start',`
127	`'summary',`
128	`'tabIndex',`
129	`'target',`
130	`'title',`
131	`'useMap',`
132	`'vAlign',`
133	`'value',`
134	`'width'`
135	`]`
136	`},`
137	`clobber: ['ariaDescribedBy', 'ariaLabelledBy', 'id', 'name'],`
138	`clobberPrefix: 'user-content-',`
139	`protocols: {`
140	`cite: ['http', 'https'],`
141	`href: ['http', 'https', 'irc', 'ircs', 'mailto', 'xmpp'],`
142	`longDesc: ['http', 'https'],`
143	`src: ['http', 'https']`
144	`},`
145	`required: {`
146	`input: {disabled: true, type: 'checkbox'}`
147	`},`
148	`strip: ['script'],`
149	`tagNames: [`
150	`'a',`
151	`'b',`
152	`'blockquote',`
153	`'br',`
154	`'code',`
155	`'dd',`
156	`'del',`
157	`'details',`
158	`'div',`
159	`'dl',`
160	`'dt',`
161	`'em',`
162	`'h1',`
163	`'h2',`
164	`'h3',`
165	`'h4',`
166	`'h5',`
167	`'h6',`
168	`'hr',`
169	`'i',`
170	`'img',`
171	// Note: `input` is not normally allowed by GH, when manually writing
172	`// it in markdown, they add it from tasklists some other way.`
173	`// We can’t do that, so we have to allow it.`
174	`'input',`
175	`'ins',`
176	`'kbd',`
177	`'li',`
178	`'ol',`
179	`'p',`
180	`'picture',`
181	`'pre',`
182	`'q',`
183	`'rp',`
184	`'rt',`
185	`'ruby',`
186	`'s',`
187	`'samp',`
188	`'section',`
189	`'source',`
190	`'span',`
191	`'strike',`
192	`'strong',`
193	`'sub',`
194	`'summary',`
195	`'sup',`
196	`'table',`
197	`'tbody',`
198	`'td',`
199	`'tfoot',`
200	`'th',`
201	`'thead',`
202	`'tr',`
203	`'tt',`
204	`'ul',`
205	`'var'`
206	`]`
207	`}`