Add sanitizeValues and isSecureLink (#390)

* feat(sanitizer): add sanitizeValues and isSecureLink * 0.7.0
platformbuilders · Feb 17, 2023 · c008e2f · c008e2f
1 parent 12da052
commit c008e2f
Show file tree

Hide file tree

Showing 4 changed files with 462 additions and 13 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@platformbuilders/helpers",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Builders helpers library",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -50,6 +50,7 @@
     "@babel/preset-env": "7.20.2",
     "@babel/preset-react": "7.18.6",
     "@babel/runtime": "7.20.1",
+    "@types/dompurify": "^2.4.0",
     "@types/jest": "29.2.3",
     "@types/lodash": "4.14.189",
     "@types/numeral": "2.0.2",
@@ -91,5 +92,8 @@
     "ts-jest": "29.0.3",
     "typescript": "4.9.3",
     "uglify-js": "3.17.4"
+  },
+  "dependencies": {
+    "isomorphic-dompurify": "^1.0.0"
   }
 }
diff --git a/src/__tests__/sanitizer.spec.ts b/src/__tests__/sanitizer.spec.ts
@@ -0,0 +1,44 @@
+import { isSecureLink, sanitizeValues } from '../shared/sanitizer';
+
+describe('Sanitizer', () => {
+  describe('isSecureLink', () => {
+    it('should return isSecure false when pass link without http protocol', () => {
+      const isSecure = isSecureLink('wss://google.com');
+      expect(isSecure).toBeFalsy();
+    });
+
+    it('should return isSecure false when pass invalid link', () => {
+      const isSecure = isSecureLink('ja&#x0000A;vascript:alert(1)');
+      expect(isSecure).toBeFalsy();
+    });
+  });
+
+  describe('sanitizeValues', () => {
+    it('should return same values when pass secure values', () => {
+      const objectValues = {
+        a: 1,
+        b: 2,
+      };
+
+      const purifiedValues = sanitizeValues(objectValues);
+
+      expect(objectValues).toStrictEqual(purifiedValues);
+    });
+
+    it('should return purified values when pass insecure values', () => {
+      const objectValues = {
+        a: '<b>hello there</b>',
+        b: 2,
+      };
+
+      const expectedValues = {
+        a: 'hello there',
+        b: 2,
+      };
+
+      const purifiedValues = sanitizeValues(objectValues);
+
+      expect(expectedValues).toStrictEqual(purifiedValues);
+    });
+  });
+});
diff --git a/src/shared/sanitizer.ts b/src/shared/sanitizer.ts
@@ -0,0 +1,33 @@
+import * as DOMPurify from 'isomorphic-dompurify';
+
+type ConfigSanitize = DOMPurify.Config & {
+  RETURN_DOM_FRAGMENT?: false | undefined;
+  RETURN_DOM?: false | undefined;
+};
+
+const defaultConfig: ConfigSanitize = {
+  RETURN_DOM_FRAGMENT: false,
+  SANITIZE_DOM: true,
+  USE_PROFILES: { html: false },
+};
+
+export const sanitizeValues = <T = Record<string, any>>(
+  values: T,
+  config?: ConfigSanitize,
+): T => {
+  const purifiedValues = DOMPurify.sanitize(JSON.stringify(values), {
+    ...defaultConfig,
+    ...config,
+  });
+
+  return JSON.parse(purifiedValues);
+};
+
+export const isSecureLink = (url: string): boolean => {
+  try {
+    const parsed = new URL(url);
+    return ['https:', 'http:'].includes(parsed.protocol);
+  } catch (error) {
+    return false;
+  }
+};