adds bytestream sanitizer

2024-11-14 19:25:41 -05:00 · 2022-08-12 15:12:03 -04:00 · 2022-08-12 15:12:03 -04:00 · 608d4508e0
commit 608d4508e0
parent 4ba3995a1c
3 changed files with 48 additions and 0 deletions
--- a/package.json
+++ b/package.json
@ -26,6 +26,7 @@
    "base64-js": "1.2.1",
    "base64-loader": "1.0.0",
    "dompurify": "2.2.7",
+    "fastestsmallesttextencoderdecoder": "^1.0.22",
    "minilog": "3.1.0",
    "transformation-matrix": "1.15.0"
  },
--- a/src/index.js
+++ b/src/index.js
@ -2,6 +2,7 @@ const SVGRenderer = require('./svg-renderer');
 const BitmapAdapter = require('./bitmap-adapter');
 const inlineSvgFonts = require('./font-inliner');
 const loadSvgString = require('./load-svg-string');
+const sanitizeSvg = require('./sanitize-svg');
 const serializeSvgToString = require('./serialize-svg-to-string');
 const SvgElement = require('./svg-element');
 const convertFonts = require('./font-converter');
@ -14,6 +15,7 @@ module.exports = {
    convertFonts: convertFonts,
    inlineSvgFonts: inlineSvgFonts,
    loadSvgString: loadSvgString,
+    sanitizeSvg: sanitizeSvg,
    serializeSvgToString: serializeSvgToString,
    SvgElement: SvgElement,
    SVGRenderer: SVGRenderer
--- a/src/sanitize-svg.js
+++ b/src/sanitize-svg.js
@ -0,0 +1,45 @@
+const DOMPurify = require('dompurify');
+
+const sanitizeSvg = {};
+
+DOMPurify.addHook(
+    'beforeSanitizeAttributes',
+    currentNode => {
+        console.log('in the hook!');
+        if (currentNode && currentNode.href && currentNode.href.baseVal &&
+            currentNode.href.baseVal.replace(/\s/g, '').slice(0, 5) !== 'data:'){
+            currentNode.attributes.removeNamedItem('href');
+            delete currentNode.href;
+        }
+        return currentNode;
+    }
+);
+
+let _TextDecoder;
+let _TextEncoder;
+if (typeof TextDecoder === 'undefined' || typeof TextEncoder === 'undefined') {
+    // Wait to require the text encoding polyfill until we know it's needed.
+    // eslint-disable-next-line global-require
+    const encoding = require('fastestsmallesttextencoderdecoder');
+    _TextDecoder = encoding.TextDecoder;
+    _TextEncoder = encoding.TextEncoder;
+} else {
+    _TextDecoder = TextDecoder;
+    _TextEncoder = TextEncoder;
+}
+
+sanitizeSvg.sanitizeByteStream = function (data){
+    console.log('calling me!');
+    const decoder = new _TextDecoder();
+    const encoder = new _TextEncoder();
+
+    const sanitizedValue = DOMPurify.sanitize(decoder.decode(data), {
+        USE_PROFILES: {svg: true}
+    });
+
+    console.log('before >', decoder.decode(data));
+    console.log('after >', sanitizedValue);
+    return encoder.encode(sanitizedValue);
+};
+
+module.exports = sanitizeSvg;