pimped the xss hook to accept dot syntax and work on after and before hooks

appinteractive · appinteractive · commit b649f1147711 · 2018-04-16T15:54:23.000+02:00
diff --git a/server/hooks/xss.js b/server/hooks/xss.js
@@ -1,6 +1,7 @@
+const { getByDot, setByDot, getItems, replaceItems } = require('feathers-hooks-common');
 const sanitizeHtml = require('sanitize-html');
 // const embedToAnchor = require('quill-url-embeds/dist/embed-to-anchor');
-const _ = require('lodash');
+const { isEmpty } = require('lodash');
 const cheerio = require('cheerio');
 
 const embedToAnchor = (content) => {
@@ -14,6 +15,10 @@ const embedToAnchor = (content) => {
 };
 
 function clean (dirty) {
+  if (!dirty) {
+    return dirty;
+  }
+
   // Convert embeds to a-tags
   dirty = embedToAnchor(dirty);
   dirty = sanitizeHtml(dirty, {
@@ -42,7 +47,7 @@ function clean (dirty) {
       s: 'strike'
     //   'img': function (tagName, attribs) {
     //     let src = attribs.src;
-    //     if (_.isEmpty(hook.result)) {
+    //     if (isEmpty(hook.result)) {
     //       const config = hook.app.get('thumbor');
     //       if (config && src.indexOf(config < 0)) {
     //         // download image
@@ -74,26 +79,37 @@ function clean (dirty) {
   return dirty;
 }
 
+// iterate through all fields and clean the values
+function cleanAllFields (items, fields) {
+  if (!items) {
+    return items;
+  }
+
+  if (Array.isArray(items)) {
+    // items is an array so fall this function for all items
+    items.forEach((item, key) => {
+      items[key] = cleanAllFields(items[key], fields);
+    });
+  } else {
+    // clean value for all fields on the single given item
+    fields.forEach((field) => {
+      // get item by dot notation
+      const value = getByDot(items, field);
+      // set cleaned item by dot notation
+      setByDot(items, field, clean(value));
+    });
+  }
+  return items;
+}
+
 module.exports = function (options = { fields: [] }) {
   return function (hook) {
     return new Promise(resolve => {
-      options.fields.forEach(field => {
-        try {
-          if (!_.isEmpty(hook.result) && !_.isEmpty(hook.result[field])) {
-            hook.result[field] = clean(hook.result[field], hook);
-          } else if (!_.isEmpty(hook.result) && !_.isEmpty(hook.result.data)) {
-            hook.result.data.forEach((result, i) => {
-              if (!_.isEmpty(hook.result.data[i][field])) {
-                hook.result.data[i][field] = clean(hook.result.data[i][field], hook);
-              }
-            });
-          } else if (!_.isEmpty(hook.data) && !_.isEmpty(hook.data[field])) {
-            hook.data[field] = clean(hook.data[field]);
-          }
-        } catch (err) {
-          hook.app.error(err);
-        }
-      });
+      const isFindOrGet = ['find', 'get'].includes(hook.method);
+      const items = getItems(hook);
+      if (!isEmpty(items) && !(isFindOrGet && hook.type === 'before')) {
+        replaceItems(hook, cleanAllFields(items, options.fields));
+      }
       resolve(hook);
     });
   };
