sanatize data on output as a quick fix

Author: appinteractive

package.json

@@ -94,6 +94,7 @@
     "raven": "~2.4.0",
     "request": "~2.83.0",
     "request-promise": "~4.2.2",
+    "sanitize-html": "^1.18.2",
     "serve-favicon": "~2.4.5",
     "shortid": "~2.2.8",
     "slug": "~0.9.1",

server/helper/thumbor-helper.js

@@ -18,7 +18,7 @@ ThumborUrlHelper.prototype = {
    * Set path of image
    * @param {String} imagePath [description]
    */
-  setImagePath: function(imagePath) {
+  setImagePath: function (imagePath) {
     this.imagePath = (imagePath.charAt(0) === '/') ?
       imagePath.substring(1, imagePath.length) : imagePath;
     return this;
@@ -27,7 +27,7 @@ ThumborUrlHelper.prototype = {
    * Combine image url and operations with secure and unsecure (unsafe) paths
    * @return {String}
    */
-  buildUrl: function(operations) {
+  buildUrl: function (operations) {
 
     if (this.THUMBOR_SECURITY_KEY) {
 
@@ -45,4 +45,4 @@ ThumborUrlHelper.prototype = {
   }
 };
 
-module.exports = ThumborUrlHelper;
+module.exports = ThumborUrlHelper;

server/hooks/xss.js

@@ -0,0 +1,67 @@
+const sanitizeHtml = require('sanitize-html');
+const _ = require('lodash');
+
+function clean (dirty, hook) {
+  return sanitizeHtml(dirty, {
+    allowedTags: ['iframe', 'img', 'p', 'br', 'b', 'i', 'em', 'strong', 'a', 'pre'],
+    allowedAttributes: {
+      a: ['href', 'data-*'],
+      img: [ 'src' ],
+      iframe: ['src', 'class', 'frameborder', 'allowfullscreen']
+    },
+    allowedIframeHostnames: ['www.youtube.com', 'player.vimeo.com'],
+    parser: {
+      lowerCaseTags: true
+    }
+    // transformTags: {
+    //   'img': function (tagName, attribs) {
+    //     let src = attribs.src;
+
+    //     const config = hook.app.get('thumbor');
+    //     if (config && src.indexOf(config < 0)) {
+    //       // download image
+
+    //       // make thumbnail
+
+    //       // const ThumborUrlHelper = require('../helper/thumbor-helper');
+    //       // const Thumbor = new ThumborUrlHelper(config.key || null, config.url || null);
+    //       // src = Thumbor
+    //       //   .setImagePath(src)
+    //       //   .buildUrl('740x0');
+    //     }
+    //     return {
+    //       tagName: 'img',
+    //       attribs: {
+    //         src: src
+    //       }
+    //     };
+    //   }
+    // }
+  });
+}
+
+module.exports = function (options = { fields: [] }) {
+  return function (hook) {
+    return new Promise(resolve => {
+      options.fields.forEach(field => {
+        try {
+          if (!_.isEmpty(hook.result) && !_.isEmpty(hook.result[field])) {
+            hook.result[field] = clean(hook.result[field], hook);
+          } else if (!_.isEmpty(hook.result) && !_.isEmpty(hook.result.data)) {
+            hook.result.data.forEach((result, i) => {
+              if (!_.isEmpty(hook.result.data[i][field])) {
+                hook.result.data[i][field] = clean(hook.result.data[i][field], hook);
+              }
+            });
+          } else if (!_.isEmpty(hook.data) && !_.isEmpty(hook.data[field])) {
+            hook.data[field] = clean(hook.data[field], hook);
+          }
+        } catch (err) {
+          hook.app.error(err);
+        }
+      });
+
+      resolve(hook);
+    });
+  };
+};

server/services/contributions/contributions.hooks.js

@@ -17,6 +17,7 @@ const getAssociatedCanDos = require('./hooks/get-associated-can-dos');
 const createMentionNotifications = require('./hooks/create-mention-notifications');
 const metascraper = require('./hooks/metascraper');
 const isSingleItem = require('../../hooks/is-single-item');
+const xss = require('../../hooks/xss');
 
 const userSchema = {
   include: {
@@ -91,6 +92,7 @@ module.exports = {
         isVerified()
       ),
       associateCurrentUser(),
+      // xss({ fields: ['content'] }),
       createSlug({ field: 'title' }),
       metascraper(),
       saveRemoteImages(['teaserImg']),
@@ -105,6 +107,7 @@ module.exports = {
         excludeDisabled(),
         restrictToOwner()
       ),
+      // xss({ fields: ['content'] }),
       metascraper(),
       saveRemoteImages(['teaserImg']),
       createExcerpt()
@@ -118,6 +121,7 @@ module.exports = {
         excludeDisabled(),
         restrictToOwner()
       ),
+      // xss({ fields: ['content'] }),
       metascraper(),
       saveRemoteImages(['teaserImg']),
       createExcerpt()
@@ -143,6 +147,7 @@ module.exports = {
       when(isSingleItem(),
         getAssociatedCanDos()
       ),
+      xss({ fields: ['content'] }),
       thumbnails({
         teaserImg: {
           cardS: '300x0',
@@ -157,6 +162,7 @@ module.exports = {
     ],
     get: [
       getAssociatedCanDos(),
+      xss({ fields: ['content'] }),
       thumbnails({
         teaserImg: {
           cardS: '300x0',
@@ -171,6 +177,7 @@ module.exports = {
     ],
     create: [
       createMentionNotifications(),
+      xss({ fields: ['content'] }),
       thumbnails({
         teaserImg: {
           cardS: '300x0',
@@ -185,6 +192,7 @@ module.exports = {
     ],
     update: [
       createMentionNotifications(),
+      xss({ fields: ['content'] }),
       thumbnails({
         teaserImg: {
           cardS: '300x0',
@@ -199,6 +207,7 @@ module.exports = {
     ],
     patch: [
       createMentionNotifications(),
+      xss({ fields: ['content'] }),
       thumbnails({
         teaserImg: {
           cardS: '300x0',

yarn.lock

@@ -2285,7 +2285,7 @@ got@^6.7.1:
     unzip-response "^2.0.1"
     url-parse-lax "^1.0.0"
 
-got@^8.3.0:
+got@~8.3.0:
   version "8.3.0"
   resolved "https://registry.yarnpkg.com/got/-/got-8.3.0.tgz#6ba26e75f8a6cc4c6b3eb1fe7ce4fec7abac8533"
   dependencies:
@@ -3573,7 +3573,7 @@ metascraper-video@^3.9.2:
     "@metascraper/helpers" "^3.9.2"
     video-extensions "~1.1.0"
 
-metascraper@^3.9.2:
+metascraper@~3.9.2:
   version "3.9.2"
   resolved "https://registry.yarnpkg.com/metascraper/-/metascraper-3.9.2.tgz#bc2d1705a80be619ddc254716d2bf9d98e92b1c2"
   dependencies:
@@ -4682,7 +4682,7 @@ [email protected], safe-buffer@^5.0.1, safe-buffer@^5.1.1, safe-buffer@~5.1.0, s
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.1.tgz#893312af69b2123def71f57889001671eeb2c853"
 
-sanitize-html@~1.18.2:
+sanitize-html@^1.18.2, sanitize-html@~1.18.2:
   version "1.18.2"
   resolved "https://registry.yarnpkg.com/sanitize-html/-/sanitize-html-1.18.2.tgz#61877ba5a910327e42880a28803c2fbafa8e4642"
   dependencies: