Skip to content

DX | 24-02-2025 | Release #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 19, 2025
Merged

DX | 24-02-2025 | Release #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1905567
fix(node-options): encode urls in default node options
harshithad0703 Feb 19, 2025
3d27ee2
fix(attributes): sanitize keys and values to prevent html injection
harshithad0703 Feb 19, 2025
a87a6cf
chore(version): update version to 1.3.19 and add changelog entry for …
harshithad0703 Feb 19, 2025
1deab62
fix(attributes): ignore attributes key with forbidden characters
harshithad0703 Feb 19, 2025
9661d22
chore(report): remove semgrep native report file
harshithad0703 Feb 19, 2025
b11d624
Merge pull request #144 from contentstack/fix/dx-2192-html-injection
harshithad0703 Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Changelog

## [1.3.18](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.17) (2025-02-17)
## [1.3.19](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.19) (2025-02-24)
- Fix: Added fix for html injection in keys and values of attributes

## [1.3.18](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.18) (2025-02-17)
- Fix: Added fix for html injection

## [1.3.17](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.17) (2025-02-11)
Expand Down
87 changes: 87 additions & 0 deletions __test__/attributes-to-string.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,92 @@ describe('Attributes to String', () => {
expect(resultString).toEqual(' style="text-align:left; " rows="4" cols="2" colWidths="250, 250"')
done()
})
it('Should rignore attributes with forbidden characters in keys and values', done => {
const attr = {
"style": {
"text-align": "left"
},
"rows": 4,
"cols": 2,
"colWidths": [250, 250],
"<ls": "\"></p><h1>test</h1><p class=\"",
"\"></p><h1>test</h1><p class=\"": 1
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' style=\"text-align:left; \" rows=\"4\" cols=\"2\" colWidths=\"250, 250\"')
done();
});
it('Should handle object attribute values correctly', done => {
const attr = {
"style": {
"color": "red",
"font-size": "14px"
}
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' style="color:red; font-size:14px; "');
done();
});
it('Should convert arrays into comma-separated values', done => {
const attr = {
"data-values": [10, 20, 30]
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' data-values="10, 20, 30"');
done();
});
it('Should handle special characters in values properly', done => {
const attr = {
"title": 'This & That > Those < Them "Quoted"',
"description": "Hello <script>alert(xss)</script>"
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' title="This &amp; That &gt; Those &lt; Them &quot;Quoted&quot;" description="Hello &lt;script&gt;alert(xss)&lt;/script&gt;"');
done();
});

it('Should handle mixed types of values properly', done => {
const attr = {
"rows": 5,
"isEnabled": true,
"ids": [101, 102],
"style": { "margin": "10px", "padding": "5px" }
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' rows="5" isEnabled="true" ids="101, 102" style="margin:10px; padding:5px; "');
done();
});
it('Should sanitize both keys and values to prevent HTML injection', done => {
const attr = {
"<script>alert('key')</script>": "test",
"safeKey": "<script>alert(xss)</script>"
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' safeKey="&lt;script&gt;alert(xss)&lt;/script&gt;"');
done();
});
it('Should ignore attributes with forbidden characters in keys', done => {
const attr = {
"validKey": "safeValue",
'in"valid': "should be ignored",
"another>invalid": "should also be ignored"
} as Attributes;

const resultString = attributeToString(attr);

expect(resultString).toEqual(' validKey="safeValue"');
done();
});
})
2 changes: 1 addition & 1 deletion __test__/mock/json-element-mock-result.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ const styleObjHtml = "<h1 style=\"text-align:justify;\">heading1</h1><h2 style=\
const referenceObjHtml = "<p><a class=\"embedded-entry redactor-component block-entry\" href=\"/test\" target=\"_self\">Embed entry as a link</a></p><p><a class=\"embedded-entry redactor-component block-entry\" href=\"/entry-3\" target=\"_blank\">Open entry as a link in new tab</a></p><p><a class=\"embedded-entry redactor-component block-entry\" href=\"/entry-2\" target=\"_self\">Bold entry</a></p><p><a class=\"embedded-entry redactor-component block-entry\" href=\"/entry-4\" target=\"_blank\"><strong>Bold entry open in new tab</strong></a></p>"
const referenceObjHtmlBlock = "<p><a class=\"embedded-entry redactor-component block-entry\" href=\"/Test\" target=\"_self\">Embed entry as a link</a></p><p><a class=\"embedded-entry redactor-component block-entry\" href=\"undefined\" target=\"_blank\">Embed entry as a link open in new tab</a></p><ul><li><a class=\"embedded-entry redactor-component block-entry\" href=\"undefined\" target=\"_self\">Entry as a link</a></li><li><a class=\"embedded-entry redactor-component block-entry\" href=\"undefined\" target=\"_blank\">Open entry as a link in new tab</a></li><li><a class=\"embedded-entry redactor-component block-entry\" href=\"undefined\" target=\"_self\"><strong><u>Entry as a link bold</u></strong></a></li><li><a class=\"embedded-entry redactor-component block-entry\" href=\"khjgf\" target=\"_blank\"><strong><u>Open bold entry as a link in new tab </u></strong></a></li><li><a href=\"https://\" target=\"_self\"><strong><u>Link URL</u></strong></a></li><li><a href=\"https://\" target=\"_blank\"><strong><u>Open link in new tab</u></strong></a></li></ul>"
const imagetags = "<figure style=\"text-align:right;max-width:137px;float:right;width:137px;max-height:257px;height:257px;\"><a href=\"https://batman.com\" target=\"_blank\"><img asset_uid=\"asset-UID\" class=\"embedded-asset\" src=\"https://images.contentstack.io/v3/assets/api-key/asset-UID/random-uid/batman.png\" alt=\"batman\" target=\"_blank\" style=\"text-align:right;max-width:137px;float:right;width:137px;max-height:257px;height:257px;\" /></a><figcaption>The Batman</figcaption></figure>"
const escapeHtml = "<p>&lt;p&gt;Welcome to Contentstack! &lt;script&gt;console.log(/\"Hello from Contentstack!/\");&lt;/script&gt; Explore our platform to create, manage, and publish content seamlessly.&lt;/p&gt;</p>"
const escapeHtml = "<p>&lt;p&gt;Welcome to Contentstack! &lt;script&gt;console.log(/&quot;Hello from Contentstack!/&quot;);&lt;/script&gt; Explore our platform to create, manage, and publish content seamlessly.&lt;/p&gt;</p>"

export {
h1Html,
Expand Down
Loading
Loading