Merge pull request velopert#68 from velopert/fix/sanitize-html

Sanitize html and allow embedding

Author: velopert

package.json

@@ -44,6 +44,7 @@
     "@types/react-router-dom": "^5.1.3",
     "@types/react-textarea-autosize": "^4.3.5",
     "@types/react-toastify": "^4.1.0",
+    "@types/sanitize-html": "^1.20.2",
     "@types/styled-components": "^4.4.1",
     "@types/throttle-debounce": "^2.1.0",
     "@typescript-eslint/eslint-plugin": "^2.8.0",
@@ -128,6 +129,7 @@
     "remark-slug": "^5.1.2",
     "resolve": "1.12.2",
     "resolve-url-loader": "3.1.1",
+    "sanitize-html": "^1.21.1",
     "sass-loader": "8.0.0",
     "semver": "6.3.0",
     "serverless-webpack": "^5.3.1",

src/components/common/MarkdownRender.tsx

@@ -12,11 +12,13 @@ import { loadScript, ssrEnabled } from '../../lib/utils';
 import media from '../../lib/styles/media';
 import parse from 'html-react-parser';
 import { throttle } from 'throttle-debounce';
+import sanitize from 'sanitize-html';
 
 export interface MarkdownRenderProps {
   markdown: string;
   codeTheme?: string;
   onConvertFinish?: (html: string) => any;
+  editing?: boolean;
 }
 
 const MarkdownRenderBlock = styled.div`
@@ -59,26 +61,84 @@ const MarkdownRenderBlock = styled.div`
     margin-bottom: 1.5rem;
   }
 
-  .youtube {
+  iframe {
     width: 768px;
     height: 430px;
     max-width: 100%;
     background: black;
     display: block;
     margin: auto;
+    border: none;
+    border-radius: 4px;
+    overflow: hidden;
   }
 
   .twitter-wrapper {
     display: flex;
     justify-content: center;
-    height: 580px;
     align-items: center;
     blockquote {
       border-left: none;
     }
   }
 `;
 
+function filter(html: string) {
+  return sanitize(html, {
+    allowedTags: [
+      'h1',
+      'h2',
+      'h3',
+      'h4',
+      'h5',
+      'h6',
+      'blockquote',
+      'p',
+      'a',
+      'ul',
+      'ol',
+      'nl',
+      'li',
+      'b',
+      'i',
+      'strong',
+      'em',
+      'strike',
+      'code',
+      'hr',
+      'br',
+      'div',
+      'table',
+      'thead',
+      'caption',
+      'tbody',
+      'tr',
+      'th',
+      'td',
+      'pre',
+      'iframe',
+      'span',
+    ],
+    allowedAttributes: {
+      a: ['href', 'name', 'target'],
+      img: ['src'],
+      iframe: ['src', 'allow', 'allowfullscreen', 'scrolling', 'class'],
+      '*': ['class', 'id'],
+    },
+    allowedStyles: {
+      '*': {
+        // Match HEX and RGB
+        color: [
+          /^#(0x)?[0-9a-f]+$/i,
+          /^rgb\(\s*(\d{1,3})\s*,\s*(\d{1,3})\s*,\s*(\d{1,3})\s*\)$/,
+        ],
+        'text-align': [/^left$/, /^right$/, /^center$/],
+      },
+    },
+    allowedIframeHostnames: ['www.youtube.com', 'codesandbox.io', 'codepen.io'],
+  });
+}
+
 const { useState, useEffect } = React;
 
 type RenderedElement =
@@ -91,20 +151,23 @@ const MarkdownRender: React.FC<MarkdownRenderProps> = ({
   markdown,
   codeTheme = 'atom-one-light',
   onConvertFinish,
+  editing,
 }) => {
   const initialHtml = ssrEnabled
     ? remark()
         .use(breaks)
         .use(prismPlugin)
-        .use(htmlPlugin)
+        .use(htmlPlugin, {
+          sanitize: true,
+        })
         .use(embedPlugin)
         .use(slug)
         .processSync(markdown)
         .toString()
     : '';
 
   const [element, setElement] = useState<RenderedElement>(
-    ssrEnabled ? parse(initialHtml) : null,
+    ssrEnabled ? parse(filter(initialHtml)) : null,
   );
 
   const applyElement = React.useMemo(() => {
@@ -131,11 +194,11 @@ const MarkdownRender: React.FC<MarkdownRenderProps> = ({
           // if (window && (window as any).twttr) return;
           loadScript('https://platform.twitter.com/widgets.js');
         }
-        const el = parse(html);
+        const el = parse(editing ? html : filter(html));
 
         applyElement(el);
       });
-  }, [applyElement, markdown, onConvertFinish]);
+  }, [applyElement, editing, markdown, onConvertFinish]);
 
   return (
     <Typography>

src/components/write/MarkdownPreview.tsx

@@ -31,7 +31,7 @@ const MarkdownPreview: React.FC<MarkdownPreviewProps> = ({
   return (
     <MarkdownPreviewBlock id="preview">
       <Title>{title}</Title>
-      <MarkdownRender markdown={markdown} />
+      <MarkdownRender markdown={markdown} editing />
     </MarkdownPreviewBlock>
   );
 };

src/components/write/WriteMarkdownEditor.tsx

@@ -170,11 +170,18 @@ const checker = {
     return pathMatch[1];
   },
   codesandbox: (text: string) => {
-    const regex = /^<iframe src="https:\/\/codesandbox.io\/embed\/(.*?)".*<\/iframe>$/;
+    const regex = /^<iframe.*src="https:\/\/codesandbox.io\/embed\/(.*?)".*<\/iframe>$/s;
     const result = regex.exec(text);
     if (!result) return null;
     return result[1];
   },
+  codepen: (text: string) => {
+    const regex = /^<iframe.*src="https:\/\/codepen.io\/(.*?)".*/;
+    const result = regex.exec(text);
+    console.log(result);
+    if (!result) return null;
+    return result[1];
+  },
 };
 
 type CheckerKey = keyof typeof checker;

src/lib/remark/embedPlugin.ts

@@ -2,14 +2,16 @@ import visit from 'unist-util-visit';
 
 // const regex = /!(youtube|twitter|codesandbox)\[(.*?)\]/;
 
-const embedTypeRegex = /^!(youtube|twitter|codesandbox)$/;
+const embedTypeRegex = /^!(youtube|twitter|codesandbox|codepen)$/;
 const converters = {
   youtube: (code: string) =>
-    `<iframe class="youtube" src="https://www.youtube.com/embed/%3Cspan%20class="pl-s1">${code}" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>`,
+    `<iframe class="embed" src="https://www.youtube.com/embed/%3Cspan%20class="pl-s1">${code}" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>`,
   twitter: (code: string) =>
     `<blockquote class="twitter-wrapper"><blockquote class="twitter-tweet" data-lang="ko"><a href="https://twitter.com/${code}"></a></blockquote></blockquote>`,
   codesandbox: (code: string) =>
-    `<iframe src="https://codesandbox.io/embed/${code}" style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"></iframe>`,
+    `<iframe class="embed" src="https://codesandbox.io/embed/${code}" sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"></iframe>`,
+  codepen: (code: string) =>
+    `<iframe class="embed" scrolling="no" title="Tab Menu Layout2" src="https://codepen.io/${code}" frameborder="no" allowtransparency="true" allowfullscreen="true"></iframe>`,
 };
 
 type ConverterKey = keyof typeof converters;

src/lib/styles/prismThemes.ts

@@ -316,7 +316,7 @@ const prismThemes = {
     code[class*='language-'],
     pre[class*='language-'] {
       color: #f8f8f2;
-      text-shadow: 0 1px rgba(0, 0, 0, 0.3); // direction: ltr;
+      text-shadow: 0 1px rgba(0, 0, 0, 0.3);
     }
 
     :not(pre) > code[class*='language-'],
@@ -326,7 +326,7 @@ const prismThemes = {
 
     pre {
       color: #f8f8f2;
-      text-shadow: 0 1px rgba(0, 0, 0, 0.3); // direction: ltr;
+      text-shadow: 0 1px rgba(0, 0, 0, 0.3);
       background: #272822;
     }
 
@@ -429,7 +429,7 @@ http://prismjs.com/download.html#themes=prism&languages=markup+css+clike+javascr
     code[class*='language-'],
     pre[class*='language-'] {
       color: #ccc;
-      background: rgb(40, 41, 54); // text-shadow: none;
+      background: rgb(40, 41, 54);
     }
 
     pre[class*='language-']::-moz-selection,

yarn.lock

@@ -1501,11 +1501,18 @@
   dependencies:
     date-fns "*"
 
-"@types/[email protected]":
+"@types/domhandler@*", "@types/domhandler@2.4.1":
   version "2.4.1"
   resolved "https://registry.yarnpkg.com/@types/domhandler/-/domhandler-2.4.1.tgz#7b3b347f7762180fbcb1ece1ce3dd0ebbb8c64cf"
   integrity sha512-cfBw6q6tT5sa1gSPFSRKzF/xxYrrmeiut7E0TxNBObiLSBTuFEHibcfEe3waQPEDbqBsq+ql/TOniw65EyDFMA==
 
+"@types/domutils@*":
+  version "1.7.2"
+  resolved "https://registry.yarnpkg.com/@types/domutils/-/domutils-1.7.2.tgz#89422e579c165994ad5c09ce90325da596cc105d"
+  integrity sha512-Nnwy1Ztwq42SSNSZSh9EXBJGrOZPR+PQ2sRT4VZy8hnsFXfCil7YlKO2hd2360HyrtFz2qwnKQ13ENrgXNxJbw==
+  dependencies:
+    "@types/domhandler" "*"
+
 "@types/eslint-visitor-keys@^1.0.0":
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/@types/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz#1ee30d79544ca84d68d4b3cdb0af4f205663dd2d"
@@ -1560,6 +1567,15 @@
     "@types/react" "*"
     hoist-non-react-statics "^3.3.0"
 
+"@types/htmlparser2@*":
+  version "3.10.1"
+  resolved "https://registry.yarnpkg.com/@types/htmlparser2/-/htmlparser2-3.10.1.tgz#1e65ba81401d53f425c1e2ba5a3d05c90ab742c7"
+  integrity sha512-fCxmHS4ryCUCfV9+CJZY1UjkbR+6Al/EQdX5Jh03qBj9gdlPG5q+7uNoDgE/ZNXb3XNWSAQgqKIWnbRCbOyyWA==
+  dependencies:
+    "@types/domhandler" "*"
+    "@types/domutils" "*"
+    "@types/node" "*"
+
 "@types/http-assert@*":
   version "1.5.1"
   resolved "https://registry.yarnpkg.com/@types/http-assert/-/http-assert-1.5.1.tgz#d775e93630c2469c2f980fc27e3143240335db3b"
@@ -1834,6 +1850,13 @@
     "@types/prop-types" "*"
     csstype "^2.2.0"
 
+"@types/sanitize-html@^1.20.2":
+  version "1.20.2"
+  resolved "https://registry.yarnpkg.com/@types/sanitize-html/-/sanitize-html-1.20.2.tgz#59777f79f015321334e3a9f28882f58c0a0d42b8"
+  integrity sha512-SrefiiBebGIhxEFkpbbYOwO1S6+zQLWAC4s4tipchlHq1aO9bp0xiapM7Zm0ml20MF+3OePWYdksB1xtneKPxg==
+  dependencies:
+    "@types/htmlparser2" "*"
+
 "@types/serve-static@*":
   version "1.13.3"
   resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.3.tgz#eb7e1c41c4468272557e897e9171ded5e2ded9d1"
@@ -2514,7 +2537,7 @@ array-union@^1.0.1:
   dependencies:
     array-uniq "^1.0.1"
 
-array-uniq@^1.0.1:
+array-uniq@^1.0.1, array-uniq@^1.0.2:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/array-uniq/-/array-uniq-1.0.3.tgz#af6ac877a25cc7f74e058894753858dfdb24fdb6"
   integrity sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=
@@ -6362,7 +6385,7 @@ [email protected]:
     tapable "^1.1.0"
     util.promisify "1.0.0"
 
-[email protected], htmlparser2@^3.3.0:
+[email protected], htmlparser2@^3.10.0, htmlparser2@^3.3.0:
   version "3.10.1"
   resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-3.10.1.tgz#bd679dc3f59897b6a34bb10749c855bb53a9392f"
   integrity sha512-IgieNijUMbkDovyoKObU1DUhm1iwNYE/fuifEoEHfd1oZKZDaONBSkal7Y01shxsM49R4XaMdGez3WnF9UfiCQ==
@@ -8018,21 +8041,46 @@ lodash._reinterpolate@^3.0.0:
   resolved "https://registry.yarnpkg.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz#0ccf2d89166af03b3663c796538b75ac6e114d9d"
   integrity sha1-DM8tiRZq8Ds2Y8eWU4t1rG4RTZ0=
 
+lodash.clonedeep@^4.5.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz#e23f3f9c4f8fbdde872529c1071857a086e5ccef"
+  integrity sha1-4j8/nE+Pvd6HJSnBBxhXoIblzO8=
+
 lodash.defaults@^4.2.0:
   version "4.2.0"
   resolved "https://registry.yarnpkg.com/lodash.defaults/-/lodash.defaults-4.2.0.tgz#d09178716ffea4dde9e5fb7b37f6f0802274580c"
   integrity sha1-0JF4cW/+pN3p5ft7N/bwgCJ0WAw=
 
+lodash.escaperegexp@^4.1.2:
+  version "4.1.2"
+  resolved "https://registry.yarnpkg.com/lodash.escaperegexp/-/lodash.escaperegexp-4.1.2.tgz#64762c48618082518ac3df4ccf5d5886dae20347"
+  integrity sha1-ZHYsSGGAglGKw99Mz11YhtriA0c=
+
 lodash.flatten@^4.4.0:
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/lodash.flatten/-/lodash.flatten-4.4.0.tgz#f31c22225a9632d2bbf8e4addbef240aa765a61f"
   integrity sha1-8xwiIlqWMtK7+OSt2+8kCqdlph8=
 
+lodash.isplainobject@^4.0.6:
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb"
+  integrity sha1-fFJqUtibRcRcxpC4gWO+BJf1UMs=
+
+lodash.isstring@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz#d527dfb5456eca7cc9bb95d5daeaf88ba54a5451"
+  integrity sha1-1SfftUVuynzJu5XV2ur4i6VKVFE=
+
 lodash.memoize@^4.1.2:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/lodash.memoize/-/lodash.memoize-4.1.2.tgz#bcc6c49a42a2840ed997f323eada5ecd182e0bfe"
   integrity sha1-vMbEmkKihA7Zl/Mj6tpezRguC/4=
 
+lodash.mergewith@^4.6.1:
+  version "4.6.2"
+  resolved "https://registry.yarnpkg.com/lodash.mergewith/-/lodash.mergewith-4.6.2.tgz#617121f89ac55f59047c7aec1ccd6654c6590f55"
+  integrity sha512-GK3g5RPZWTRSeLSpgP8Xhra+pnjBC56q9FZYe1d5RN3TJ35dbkGy3YqBSMbyCrlbi+CM9Z3Jk5yTL7RCsqboyQ==
+
 lodash.sortby@^4.7.0:
   version "4.7.0"
   resolved "https://registry.yarnpkg.com/lodash.sortby/-/lodash.sortby-4.7.0.tgz#edd14c824e2cc9c1e0b0a1b42bb5210516a42438"
@@ -11337,6 +11385,22 @@ sane@^4.0.3:
     minimist "^1.1.1"
     walker "~1.0.5"
 
+sanitize-html@^1.21.1:
+  version "1.21.1"
+  resolved "https://registry.yarnpkg.com/sanitize-html/-/sanitize-html-1.21.1.tgz#1647d15c0c672901aa41eac1b86d0c38146d30ce"
+  integrity sha512-W6enXSVphVaVbmVbzVngBthR5f5sMmhq3EfPfBlzBzp2WnX8Rnk7NGpP7KmHUc0Y3MVk9tv/+CbpdHchX9ai7g==
+  dependencies:
+    chalk "^2.4.1"
+    htmlparser2 "^3.10.0"
+    lodash.clonedeep "^4.5.0"
+    lodash.escaperegexp "^4.1.2"
+    lodash.isplainobject "^4.0.6"
+    lodash.isstring "^4.0.1"
+    lodash.mergewith "^4.6.1"
+    postcss "^7.0.5"
+    srcset "^1.0.0"
+    xtend "^4.0.1"
+
 sanitize.css@^10.0.0:
   version "10.0.0"
   resolved "https://registry.yarnpkg.com/sanitize.css/-/sanitize.css-10.0.0.tgz#b5cb2547e96d8629a60947544665243b1dc3657a"
@@ -11834,6 +11898,14 @@ sprintf-js@~1.0.2:
   resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
   integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
 
+srcset@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/srcset/-/srcset-1.0.0.tgz#a5669de12b42f3b1d5e83ed03c71046fc48f41ef"
+  integrity sha1-pWad4StC87HV6D7QPHEEb8SPQe8=
+  dependencies:
+    array-uniq "^1.0.2"
+    number-is-nan "^1.0.0"
+
 sshpk@^1.7.0:
   version "1.16.1"
   resolved "https://registry.yarnpkg.com/sshpk/-/sshpk-1.16.1.tgz#fb661c0bef29b39db40769ee39fa70093d6f6877"