UNPKG

jsxlate/src/whitelisting.js

Version:

1.84 kBJavaScriptView Raw

1/*
2 *
3 *   Attribute whitelisting
4 *
5 */
6
7
8import {
9    attributeName,
10    attributeValue,
11    elementAttributes,
12    elementNamespaceOrName
13} from './ast';
14import generate from './generation';
15import {whitelist as tagWhitelistedAttributes} from './options';
16
17
18module.exports = {
19    // Return all whitelisted attribute names for this elementName
20    whitelistedAttributeNames: function(elementName) {
21        return tagWhitelistedAttributes[elementName] || [];
22    },
23
24
25    extractableAttributes: function(element) {
26        return elementAttributes(element).filter(
27            a => this.isExtractableAttribute(element, a)
28        );
29    },
30
31
32    sanitizedAttributes: function(element) {
33        return elementAttributes(element).filter(
34            a => !this.isWhitelistedAttribute(element, a)
35        );
36    },
37
38
39    isWhitelistedAttribute: function(element, attribute) {
40        let name = elementNamespaceOrName(element);
41        let elementWhitelistedAttributes = this.whitelistedAttributeNames(name);
42        return elementWhitelistedAttributes.indexOf(attributeName(attribute)) !== -1;
43    },
44
45
46    // Reports if an attribute is both whitelisted and has an extractable value
47    // NOTE: Will warn to stderr if it finds a whitelisted attribute with no value
48    isExtractableAttribute: function(element, attribute) {
49        let value = attributeValue(attribute);
50        let attributeIsWhitelisted = this.isWhitelistedAttribute(element, attribute);
51        if (attributeIsWhitelisted && !value) {
52            console.warn("Ignoring non-literal extractable attribute:", generate(attribute).code);
53        }
54        return attributeIsWhitelisted;
55    },
56
57
58    // Reports if an element has any attributes to be sanitized
59    hasUnsafeAttributes: function(element) {
60        return this.sanitizedAttributes(element).length > 0;
61    },
62};

1	`/*`
2	`*`
3	`* Attribute whitelisting`
4	`*`
5	`*/`
6
7
8	`import {`
9	`attributeName,`
10	`attributeValue,`
11	`elementAttributes,`
12	`elementNamespaceOrName`
13	`} from './ast';`
14	`import generate from './generation';`
15	`import {whitelist as tagWhitelistedAttributes} from './options';`
16
17
18	`module.exports = {`
19	`// Return all whitelisted attribute names for this elementName`
20	`whitelistedAttributeNames: function(elementName) {`
21	`return tagWhitelistedAttributes[elementName] \|\| [];`
22	`},`
23
24
25	`extractableAttributes: function(element) {`
26	`return elementAttributes(element).filter(`
27	`a => this.isExtractableAttribute(element, a)`
28	`);`
29	`},`
30
31
32	`sanitizedAttributes: function(element) {`
33	`return elementAttributes(element).filter(`
34	`a => !this.isWhitelistedAttribute(element, a)`
35	`);`
36	`},`
37
38
39	`isWhitelistedAttribute: function(element, attribute) {`
40	`let name = elementNamespaceOrName(element);`
41	`let elementWhitelistedAttributes = this.whitelistedAttributeNames(name);`
42	`return elementWhitelistedAttributes.indexOf(attributeName(attribute)) !== -1;`
43	`},`
44
45
46	`// Reports if an attribute is both whitelisted and has an extractable value`
47	`// NOTE: Will warn to stderr if it finds a whitelisted attribute with no value`
48	`isExtractableAttribute: function(element, attribute) {`
49	`let value = attributeValue(attribute);`
50	`let attributeIsWhitelisted = this.isWhitelistedAttribute(element, attribute);`
51	`if (attributeIsWhitelisted && !value) {`
52	`console.warn("Ignoring non-literal extractable attribute:", generate(attribute).code);`
53	`}`
54	`return attributeIsWhitelisted;`
55	`},`
56
57
58	`// Reports if an element has any attributes to be sanitized`
59	`hasUnsafeAttributes: function(element) {`
60	`return this.sanitizedAttributes(element).length > 0;`
61	`},`
62	`};`