From b6a4621336b221e7b4afbf830eb118fa84e42833 Mon Sep 17 00:00:00 2001 From: David Roe Date: Tue, 7 Nov 2023 12:45:18 +0000 Subject: [PATCH] fix(javascript): add fallback for html user input sanitizer (#176) --- .../javascript/shared/third_parties/sanitize_html_sanitizer.yml | 2 ++ tests/javascript/lang/raw_html_using_user_input/testdata/ok.js | 1 + 2 files changed, 3 insertions(+) diff --git a/rules/javascript/shared/third_parties/sanitize_html_sanitizer.yml b/rules/javascript/shared/third_parties/sanitize_html_sanitizer.yml index 2db3874d4..7d8bc2a4c 100644 --- a/rules/javascript/shared/third_parties/sanitize_html_sanitizer.yml +++ b/rules/javascript/shared/third_parties/sanitize_html_sanitizer.yml @@ -7,6 +7,8 @@ patterns: - sanitize($$<_>$<...>) # DOMPurifier - sanitizeHtml($$<_>$<...>) + # fallback + - sanitizer($<...>$$<_>$<...>) metadata: description: "sanitize HTML sanitizer." id: javascript_shared_third_parties_sanitize_html_sanitizer diff --git a/tests/javascript/lang/raw_html_using_user_input/testdata/ok.js b/tests/javascript/lang/raw_html_using_user_input/testdata/ok.js index b98ad612e..f7987a500 100644 --- a/tests/javascript/lang/raw_html_using_user_input/testdata/ok.js +++ b/tests/javascript/lang/raw_html_using_user_input/testdata/ok.js @@ -1,6 +1,7 @@ `

#{sanitizeHtml(req.params.ok)}

` doT.compile(sanitizeHtml(req.params.ok), {}) +doT.compile(sanitizer({ option: true }, req.params.ok), {}) ejs.compile(sanitizeHtml(req.params.ok), {})