Skip to content

Commit

Permalink
fix: fallbackSantizer used before defined
Browse files Browse the repository at this point in the history
fixed by converting to declared function instead of expression to leverage hoisting
  • Loading branch information
kevinchappell committed Oct 5, 2023
1 parent 8f88df2 commit 4fe4937
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions src/js/sanitizer.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ const sanitizerConfig = {
form: true,
namespaceAttributes: false, //whether to prefix with user-content-
},
backendOrder: ['dompurify','sanitizer','fallback'],
backendOrder: ['dompurify', 'sanitizer', 'fallback'],
backends: {
sanitizer: typeof window['Sanitizer'] === 'function' ? new window.Sanitizer() : false,
dompurify: window.DOMPurify ? (purify => {
Expand All @@ -29,7 +29,7 @@ export const setSanitizerConfig = config => {
}

if (config.hasOwnProperty('clobberingProtection')) {
['document','form','namespaceAttributes'].forEach(type => {
['document', 'form', 'namespaceAttributes'].forEach(type => {
if (config.clobberingProtection.hasOwnProperty(type) && typeof config.clobberingProtection[type] === 'boolean') {
sanitizerConfig.clobberingProtection[type] = config.clobberingProtection[type]
}
Expand Down Expand Up @@ -64,15 +64,15 @@ export const isPotentiallyDangerousAttribute = (attrName, attrValue) => {
return false
}
const attrNameLc = attrName.toLowerCase()
attrValue = attrValue ? attrValue+'' : ''
attrValue = attrValue ? attrValue + '' : ''
return (
attrNameLc.startsWith('on')
|| ['form', 'formaction'].includes(attrNameLc)
|| attrValue.trim().toLowerCase().startsWith('javascript:')
)
}

const fallbackSanitizer = content => {
function fallbackSanitizer(content) {
//Fallback function if no other sanitizer is available

//jQuery < 3.5 doesn't have this safety feature, so we implement it here
Expand Down Expand Up @@ -197,7 +197,7 @@ const sanitizersCallbacks = {
sanitizer: (element, content) => {
const sanitizer = sanitizerConfig.backends.sanitizer
if (sanitizer) {
element.setHTML(content, {sanitizer: sanitizer})
element.setHTML(content, { sanitizer: sanitizer })
}
return false
}
Expand All @@ -224,4 +224,4 @@ const sanitizer = {
attributeWillClobber,
}

export default sanitizer
export default sanitizer

0 comments on commit 4fe4937

Please sign in to comment.