Hydro/packages/ui-default/backendlib/markdown-it-xss.js

const Xss = require('xss');

const xss = new Xss.FilterXSS({
  whiteList: {
    a: ['target', 'href', 'title'],
    abbr: ['title'],
    address: [],
    area: ['shape', 'coords', 'href', 'alt'],
    article: [],
    aside: [],
    audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],
    b: [],
    bdi: ['dir'],
    bdo: ['dir'],
    big: [],
    blockquote: ['cite', 'class'],
    br: [],
    caption: [],
    center: [],
    cite: [],
    code: ['class'],
    col: ['align', 'valign', 'span', 'width'],
    colgroup: ['align', 'valign', 'span', 'width'],
    dd: [],
    del: ['datetime'],
    details: ['open'],
    div: ['class'],
    dl: [],
    dt: [],
    em: [],
    font: ['color', 'size', 'face'],
    h1: [],
    h2: ['class'],
    h3: [],
    h4: [],
    h5: [],
    h6: [],
    header: [],
    hr: [],
    i: [],
    img: ['src', 'alt', 'title', 'width', 'height'],
    ins: ['datetime'],
    li: [],
    mark: [],
    ol: [],
    p: [],
    pre: [],
    s: [],
    section: [],
    small: [],
    span: ['class'],
    sub: [],
    summary: [],
    sup: [],
    strong: [],
    table: ['width', 'border', 'align', 'valign'],
    tbody: ['align', 'valign'],
    td: ['width', 'rowspan', 'colspan', 'align', 'valign', 'bgcolor'],
    tfoot: ['align', 'valign'],
    th: ['width', 'rowspan', 'colspan', 'align', 'valign'],
    thead: ['align', 'valign'],
    tr: ['rowspan', 'align', 'valign'],
    tt: [],
    u: [],
    ul: [],
    var: [],
    video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],
  },
});

function xssProtector(md) {
  function protector(state) {
    for (let i = 0; i < state.tokens.length; i++) {
      const cur = state.tokens[i];
      if (cur.type === 'html_block') {
        cur.content = xss.process(cur.content);
      }
      if (cur.type === 'inline') {
        const inlineTokens = cur.children;
        for (let ii = 0; ii < inlineTokens.length; ii++) {
          if (inlineTokens[ii].type === 'html_inline') {
            inlineTokens[ii].content = xss.process(inlineTokens[ii].content);
          }
        }
      }
    }
  }

  md.core.ruler.after('linkify', 'xss', protector);
}

module.exports = { xss, xssProtector };
ui: allow using html in markdown 3 years ago			`const Xss = require('xss');`

			`const xss = new Xss.FilterXSS({`
ui: allow blockquote class 3 years ago			`whiteList: {`
			`a: ['target', 'href', 'title'],`
			`abbr: ['title'],`
			`address: [],`
			`area: ['shape', 'coords', 'href', 'alt'],`
			`article: [],`
			`aside: [],`
			`audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],`
			`b: [],`
			`bdi: ['dir'],`
			`bdo: ['dir'],`
			`big: [],`
			`blockquote: ['cite', 'class'],`
			`br: [],`
			`caption: [],`
			`center: [],`
			`cite: [],`
			`code: ['class'],`
			`col: ['align', 'valign', 'span', 'width'],`
			`colgroup: ['align', 'valign', 'span', 'width'],`
			`dd: [],`
			`del: ['datetime'],`
			`details: ['open'],`
			`div: ['class'],`
			`dl: [],`
			`dt: [],`
			`em: [],`
			`font: ['color', 'size', 'face'],`
			`h1: [],`
			`h2: ['class'],`
			`h3: [],`
			`h4: [],`
			`h5: [],`
			`h6: [],`
			`header: [],`
			`hr: [],`
			`i: [],`
			`img: ['src', 'alt', 'title', 'width', 'height'],`
			`ins: ['datetime'],`
			`li: [],`
			`mark: [],`
			`ol: [],`
			`p: [],`
			`pre: [],`
			`s: [],`
			`section: [],`
			`small: [],`
			`span: ['class'],`
			`sub: [],`
			`summary: [],`
			`sup: [],`
			`strong: [],`
			`table: ['width', 'border', 'align', 'valign'],`
			`tbody: ['align', 'valign'],`
			`td: ['width', 'rowspan', 'colspan', 'align', 'valign', 'bgcolor'],`
			`tfoot: ['align', 'valign'],`
			`th: ['width', 'rowspan', 'colspan', 'align', 'valign'],`
			`thead: ['align', 'valign'],`
			`tr: ['rowspan', 'align', 'valign'],`
			`tt: [],`
			`u: [],`
			`ul: [],`
			`var: [],`
			`video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width'],`
			`},`
ui: allow using html in markdown 3 years ago			`});`

			`function xssProtector(md) {`
ui: allow blockquote class 3 years ago			`function protector(state) {`
			`for (let i = 0; i < state.tokens.length; i++) {`
			`const cur = state.tokens[i];`
			`if (cur.type === 'html_block') {`
			`cur.content = xss.process(cur.content);`
			`}`
			`if (cur.type === 'inline') {`
			`const inlineTokens = cur.children;`
			`for (let ii = 0; ii < inlineTokens.length; ii++) {`
			`if (inlineTokens[ii].type === 'html_inline') {`
			`inlineTokens[ii].content = xss.process(inlineTokens[ii].content);`
			`}`
ui: allow using html in markdown 3 years ago			`}`
ui: allow blockquote class 3 years ago			`}`
ui: allow using html in markdown 3 years ago			`}`
ui: allow blockquote class 3 years ago			`}`
ui: allow using html in markdown 3 years ago
ui: allow blockquote class 3 years ago			`md.core.ruler.after('linkify', 'xss', protector);`
ui: allow using html in markdown 3 years ago			`}`

			`module.exports = { xss, xssProtector };`