zio/elk
2
0
Fork 0
Code Releases 2 Packages 1 Activity

fix: prevent HTML injections to code blocks (#1165)

Browse source
This commit is contained in:
jviide 2023-01-15 12:48:22 +02:00 committed by GitHub
parent 1a4fd19720
commit c15df78cbb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 88 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

39
tests/__snapshots__/content-rich.test.ts.snap
View file

@ -1,9 +1,36 @@
// Vitest Snapshot v1
exports[`content-rich > block with backticks 1`] = `"<p><pre>[(\`number string) (\`tag string)]</pre></p>"`;
exports[`content-rich > block with backticks 1`] = `"<p><pre class=\\"code-block\\">[(\`number string) (\`tag string)]</pre></p>"`;
exports[`content-rich > block with injected html, with a known language 1`] = `
"<pre>
<code class=\\"language-js\\">
&lt;a href=&quot;javascript:alert(1)&quot;&gt;click me&lt;/a&gt;
</code>
</pre>
"
`;
exports[`content-rich > block with injected html, with an unknown language 1`] = `
"<pre>
<code class=\\"language-xyzzy\\">
&lt;a href=&quot;javascript:alert(1)&quot;&gt;click me&lt;/a&gt;
</code>
</pre>
"
`;
exports[`content-rich > block with injected html, without language 1`] = `
"<pre>
<code>
&lt;a href=&quot;javascript:alert(1)&quot;&gt;click me&lt;/a&gt;
</code>
</pre>
"
`;
exports[`content-rich > code frame 1`] = `
"<p>Testing code block</p><p></p><p><pre lang=\\"ts\\">import { useMouse, usePreferredDark } from &#39;@vueuse/core&#39;
"<p>Testing code block</p><p></p><p><pre class=\\"code-block\\">import { useMouse, usePreferredDark } from &apos;@vueuse/core&apos;
// tracks mouse position
const { x, y } = useMouse()
// is the user prefers dark theme
@ -20,14 +47,14 @@ exports[`content-rich > code frame 2 1`] = `
></a
></span>
Testing<br />
<pre lang=\\"ts\\">const a = hello</pre>
<pre class=\\"code-block\\">const a = hello</pre>
</p>
"
`;
exports[`content-rich > code frame empty 1`] = `"<p><pre></pre><br></p>"`;
exports[`content-rich > code frame empty 1`] = `"<p><pre class=\\"code-block\\"></pre><br></p>"`;
exports[`content-rich > code frame no lang 1`] = `"<p><pre>hello world</pre><br>no lang</p>"`;
exports[`content-rich > code frame no lang 1`] = `"<p><pre class=\\"code-block\\">hello world</pre><br>no lang</p>"`;
exports[`content-rich > custom emoji 1`] = `
"Daniel Roe
@ -75,7 +102,7 @@ exports[`content-rich > handles formatting from servers 1`] = `
exports[`content-rich > handles html within code blocks 1`] = `
"<p>
HTML block code:<br />
<pre lang=\\"html\\">
<pre class=\\"code-block\\">
&lt;span class=&quot;icon--noto icon--noto--1st-place-medal&quot;&gt;&lt;/span&gt;
&lt;span class=&quot;icon--noto icon--noto--2nd-place-medal-medal&quot;&gt;&lt;/span&gt;</pre
>