Add DOMPurify to address XSS issues; closes #420 #431
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey @shakeelmohamed - I've reviewed your changes and they look great!
Here's what I looked at during the review
- 🟡 General issues: 4 issues found
- 🟢 Security: all looks good
- 🟡 Testing: 5 issues found
- 🟢 Complexity: all looks good
- 🟢 Docstrings: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.
Comment on lines
+1
to
+7
| const { | ||
| entries, | ||
| setPrototypeOf, | ||
| isFrozen, | ||
| getPrototypeOf, | ||
| getOwnPropertyDescriptor, | ||
| } = Object; |
There was a problem hiding this comment.
suggestion (code_refinement): Consider destructuring directly in the import statement for clarity.
This approach can make the imports cleaner and more declarative.
| getOwnPropertyDescriptor, | ||
| } = Object; | ||
|
|
||
| let { freeze, seal, create } = Object; // eslint-disable-line import/no-mutable-exports |
There was a problem hiding this comment.
suggestion (code_refinement): Avoid using 'let' for imports that do not change.
Using 'const' instead of 'let' for these imports would ensure they are not reassigned later, enhancing code reliability.
Suggested change
| let { freeze, seal, create } = Object; // eslint-disable-line import/no-mutable-exports | |
| const { freeze, seal, create } = Object; |
Comment on lines
+12
to
+16
| if (!freeze) { | ||
| freeze = function (x) { | ||
| return x; | ||
| }; | ||
| } |
There was a problem hiding this comment.
suggestion (performance): Consider removing the polyfill for 'Object.freeze'.
Modern environments support 'Object.freeze'. Including polyfills for standard methods could lead to unnecessary code bloat.
Suggested change
| if (!freeze) { | |
| freeze = function (x) { | |
| return x; | |
| }; | |
| } | |
| if (!freeze) { | |
| freeze = Object.freeze; | |
| } |
| } | ||
| var purify = createDOMPurify(); | ||
|
|
||
| export { purify as default }; |
There was a problem hiding this comment.
suggestion (code_refinement): Consider using explicit exports instead of a default export.
Using named exports can help with clearer import statements in consuming modules and potentially easier mocking in tests.
Suggested change
| export { purify as default }; | |
| export { purify }; |
| return unapply(desc.value); | ||
| } | ||
| } | ||
| object = getPrototypeOf(object); |
There was a problem hiding this comment.
issue (code-quality): Don't reassign parameter - object (dont-reassign-parameters)
Explanation
Reassigning parameters can lead to unexpected behavior, especially when accessing the arguments object. It can also cause optimization issues, especially in V8.From the Airbnb JavaScript Style Guide
Comment on lines
+175
to
+177
| function fallbackValue() { | ||
| return null; | ||
| } |
There was a problem hiding this comment.
issue (code-quality): Avoid function declarations, favouring function assignment expressions, inside blocks. (avoid-function-declarations-in-blocks)
Explanation
Function declarations may be hoisted in Javascript, but the behaviour is inconsistent between browsers. Hoisting is generally confusing and should be avoided. Rather than using function declarations inside blocks, you should use function expressions, which create functions in-scope.
Comment on lines
+220
to
+232
| var EXPRESSIONS = /*#__PURE__*/Object.freeze({ | ||
| __proto__: null, | ||
| MUSTACHE_EXPR: MUSTACHE_EXPR, | ||
| ERB_EXPR: ERB_EXPR, | ||
| TMPLIT_EXPR: TMPLIT_EXPR, | ||
| DATA_ATTR: DATA_ATTR, | ||
| ARIA_ATTR: ARIA_ATTR, | ||
| IS_ALLOWED_URI: IS_ALLOWED_URI, | ||
| IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA, | ||
| ATTR_WHITESPACE: ATTR_WHITESPACE, | ||
| DOCTYPE_NAME: DOCTYPE_NAME, | ||
| CUSTOM_ELEMENT: CUSTOM_ELEMENT | ||
| }); |
There was a problem hiding this comment.
issue (code-quality): Use const or let instead of var. (avoid-using-var)
Explanation
`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code). `let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than function-scoped.From the Airbnb JavaScript Style Guide
| document | ||
| } = window; | ||
| const originalDocument = document; | ||
| const currentScript = originalDocument.currentScript; |
There was a problem hiding this comment.
suggestion (code-quality): Prefer object destructuring when accessing and using properties. (use-object-destructuring)
Suggested change
| const currentScript = originalDocument.currentScript; | |
| const {currentScript} = originalDocument; |
Explanation
Object destructuring can often remove an unnecessary temporary reference, as well as making your code more succinct.From the Airbnb Javascript Style Guide
Comment on lines
+1085
to
+1099
| if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) { | ||
| if ( | ||
| // First condition does a very basic check if a) it's basically a valid custom element tagname AND | ||
| // b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | ||
| // and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck | ||
| _isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) || | ||
| // Alternative, second condition checks if it's an `is`-attribute, AND | ||
| // the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | ||
| lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else { | ||
| return false; | ||
| } | ||
| /* Check value is safe. First, is attr inert? If so, is safe */ | ||
| } else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) { | ||
| return false; | ||
| } else ; |
There was a problem hiding this comment.
suggestion (code-quality): Use block braces for ifs, whiles, etc. (use-braces)
Suggested change
| if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) { | |
| if ( | |
| // First condition does a very basic check if a) it's basically a valid custom element tagname AND | |
| // b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | |
| // and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck | |
| _isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) || | |
| // Alternative, second condition checks if it's an `is`-attribute, AND | |
| // the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | |
| lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else { | |
| return false; | |
| } | |
| /* Check value is safe. First, is attr inert? If so, is safe */ | |
| } else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) { | |
| return false; | |
| } else ; | |
| if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) { | |
| ; | |
| } else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) { | |
| if ( | |
| // First condition does a very basic check if a) it's basically a valid custom element tagname AND | |
| // b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | |
| // and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck | |
| _isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) || | |
| // Alternative, second condition checks if it's an `is`-attribute, AND | |
| // the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck | |
| lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else { | |
| return false; | |
| } | |
| /* Check value is safe. First, is attr inert? If so, is safe */ | |
| } else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) { | |
| return false; | |
| } else ; | |
Explanation
It is recommended to always use braces and create explicit statement blocks.Using the allowed syntax to just write a single statement can lead to very confusing
situations, especially where subsequently a developer might add another statement
while forgetting to add the braces (meaning that this wouldn't be included in the condition).
Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #420