Skip to content

Commit

Permalink
Merge pull request #355 from aoneill01/feature/sanitize-at-import
Browse files Browse the repository at this point in the history 
feat: sanitize css @import rules
  • Loading branch information
@aoneill01
aoneill01 authored Jul 10, 2023
2 parents a4ad708 + a3ba9eb commit 0ecec03
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 0 deletions.
1 change: 1 addition & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
"dependencies": {
"base64-js": "1.2.1",
"base64-loader": "1.0.0",
"css-tree": "1.1.3",
"dompurify": "2.2.7",
"fastestsmallesttextencoderdecoder": "^1.0.22",
"minilog": "3.1.0",
Expand Down
21 changes: 21 additions & 0 deletions src/sanitize-svg.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
* as possible
*/
const fixupSvgString = require('./fixup-svg-string');
const {generate, parse, walk} = require('css-tree');
const DOMPurify = require('dompurify');

const sanitizeSvg = {};
Expand Down Expand Up @@ -30,6 +31,26 @@ DOMPurify.addHook(
}
);

DOMPurify.addHook(
'uponSanitizeElement',
(node, data) => {
if (data.tagName === 'style') {
const ast = parse(node.textContent);
let isModified = false;
// Remove any @import rules as it could leak HTTP requests
walk(ast, (astNode, item, list) => {
if (astNode.type === 'Atrule' && astNode.name === 'import') {
list.remove(item);
isModified = true;
}
});
if (isModified) {
node.textContent = generate(ast);
}
}
}
);

// Use JS implemented TextDecoder and TextEncoder if it is not provided by the
// browser.
let _TextDecoder;
Expand Down
5 changes: 5 additions & 0 deletions test/fixtures/css-import.sanitized.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
11 changes: 11 additions & 0 deletions test/fixtures/css-import.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 0ecec03

Please sign in to comment.