Added optional HTML sanitization of readable contents.

n1k0 · n1k0 · commit 64f1d663a1ee · 2015-02-23T15:36:49.000+01:00
diff --git a/README.md b/README.md
@@ -23,6 +23,33 @@ Note about CORS: by design, the server will allow any origin to access it, so br
 Usage
 -----
 
+### `GET /get`
+
+#### Required parameters
+
+- `url`: The URL to retrieve retrieve readable contents from, eg. `https://nicolas.perriault.net/code/2013/get-your-frontend-javascript-code-covered/`.
+
+#### Optional parameters
+
+- `sanitize`: A *boolean string* to enable HTML sanitization (valid truthy boolean strings: "1", "on", "true", "yes", "y"; everything else will be considered falsy):
+
+**Note:** Enabling contents sanitization loses Readability.js specific HTML semantics, though is probably safer for users if you plan to publish retrieved contents on a public website.
+
+#### Example
+
+Content sanitization enabled:
+
+    $ curl http://0.0.0.0:3000/get\?sanitize=y&url\=https://nicolas.perriault.net/code/2013/get-your-frontend-javascript-code-covered/
+    {
+      "byline":"Nicolas Perriault —",
+      "content":"<p><strong>So finally you&#39;re <a href=\"https://nicolas.perriault.net/code/2013/testing-frontend-javascript-code-using-mocha-chai-and-sinon/\">testing",
+      "length":2867,
+      "title":"Get your Frontend JavaScript Code Covered | Code",
+      "uri":"https://nicolas.perriault.net/code/2013/get-your-frontend-javascript-code-covered/"
+    }
+
+Content sanitization disabled (default):
+
     $ curl http://0.0.0.0:3000/get\?url\=https://nicolas.perriault.net/code/2013/get-your-frontend-javascript-code-covered/
     {
       "byline":"Nicolas Perriault —",
diff --git a/index.js b/index.js
@@ -1,9 +1,38 @@
 var scrape = require("./scrape");
 var express = require("express");
 var pkgInfo = require("./package.json");
+var html2md = require("html-md");
+var markdown = require("markdown");
 
 var app = express();
 
+/**
+ * Casts a qs string arg into an actual boolean.
+ * @param  {String} arg The query string arg.
+ * @return {Boolean}
+ */
+function boolArg(queryParam) {
+  if (!queryParam) return false;
+  return ["1", "on", "true", "yes", "y"].indexOf(queryParam.toLowerCase()) !== -1;
+}
+
+/**
+ * Takes a result object and replace native html contents with a safer sanitized
+ * version.
+ * @param  {Object} resultObject
+ * @return {Object}
+ */
+function sanitizeResult(resultObject) {
+  try {
+    var sanitized = markdown.parse(html2md(resultObject.content));
+    resultObject.content = sanitized;
+    resultObject.length = sanitized.length;
+    return resultObject;
+  } catch (err) {
+    throw {error: "Failed HTML sanitization:" + (err || "Unknown reason.")};
+  }
+}
+
 app.use(function(req, res, next) {
   res.header("Content-Type", "application/json");
   res.header("Access-Control-Allow-Origin", "*");
@@ -21,12 +50,12 @@ app.get("/", function(req, res) {
 });
 
 app.get("/get", function(req, res) {
-  var url = req.query.url;
+  var url = req.query.url, sanitize = boolArg(req.query.sanitize);
   if (!url) {
     return res.status(400).json({error: "Missing url parameter"});
   }
   scrape(url).then(function(result) {
-    res.json(result);
+    res.json(sanitize ? sanitizeResult(result) : result);
   }).catch(function(err) {
     res.status(500).json(err);
   });
diff --git a/package.json b/package.json
@@ -17,6 +17,8 @@
   "dependencies": {
     "bluebird": "^2.9.12",
     "express": "^4.11.2",
+    "html-md": "^3.0.2",
+    "markdown": "^0.5.0",
     "phantomjs": "^1.9.15"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`"dependencies": {`
`18`	`18`	`"bluebird": "^2.9.12",`
`19`	`19`	`"express": "^4.11.2",`
	`20`	`+ "html-md": "^3.0.2",`
	`21`	`+ "markdown": "^0.5.0",`
`20`	`22`	`"phantomjs": "^1.9.15"`
`21`	`23`	`}`
`22`	`24`	`}`