Home Explore Help
Sign In
SMusatov
/
sentry
mirror of https://github.com/getsentry/sentry
1
0
Fork 0
Files
Tree: 28a3409735
Branches Tags
sentry
/
static
/
app
/
utils
/
marked.tsx

marked.tsx 2.1 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. import dompurify from 'dompurify';
    2. 

  2. import marked from 'marked'; // eslint-disable-line no-restricted-imports
    3. 

  3. 

  4. import {IS_ACCEPTANCE_TEST, NODE_ENV} from 'sentry/constants';
    5. 

  5. 

  6. // Only https and mailto, (e.g. no javascript, vbscript, data protocols)
    7. 

  7. const safeLinkPattern = /^(https?:|mailto:)/i;
    8. 

  8. 

  9. const safeImagePattern = /^https?:\/\/./i;
    10. 

  10. 

  11. function isSafeHref(href: string, pattern: RegExp) {
    12. 

  12.   try {
    13. 

  13.     return pattern.test(decodeURIComponent(unescape(href)));
    14. 

  14.   } catch {
    15. 

  15.     return false;
    16. 

  16.   }
    17. 

  17. }
    18. 

  18. 

  19. /**
    20. 

  20.  * Implementation of marked.Renderer which additonally sanitizes URLs.
    21. 

  21.  */
    22. 

  22. class SafeRenderer extends marked.Renderer {
    23. 

  23.   link(href: string, title: string, text: string) {
    24. 

  24.     // For a bad link, just return the plain text href
    25. 

  25.     if (!isSafeHref(href, safeLinkPattern)) {
    26. 

  26.       return href;
    27. 

  27.     }
    28. 

  28. 

  29.     const out = `<a href="${href}"${title ? ` title="${title}"` : ''}>${text}</a>`;
    30. 

  30.     return dompurify.sanitize(out);
    31. 

  31.   }
    32. 

  32. 

  33.   image(href: string, title: string, text: string) {
    34. 

  34.     // For a bad image, return an empty string
    35. 

  35.     if (this.options.sanitize && !isSafeHref(href, safeImagePattern)) {
    36. 

  36.       return '';
    37. 

  37.     }
    38. 

  38. 

  39.     return `<img src="${href}" alt="${text}"${title ? ` title="${title}"` : ''} />`;
    40. 

  40.   }
    41. 

  41. }
    42. 

  42. 

  43. class NoParagraphRenderer extends SafeRenderer {
    44. 

  44.   paragraph(text: string) {
    45. 

  45.     return text;
    46. 

  46.   }
    47. 

  47. }
    48. 

  48. 

  49. marked.setOptions({
    50. 

  50.   renderer: new SafeRenderer(),
    51. 

  51.   sanitize: true,
    52. 

  52. 

  53.   // Silence sanitize deprecation warning in test / ci (CI sets NODE_NV
    54. 

  54.   // to production, but specifies `CI`).
    55. 

  55.   //
    56. 

  56.   // [!!] This has the side effect of causing failed markdown content to render
    57. 

  57.   //      as a html error, instead of throwing an exception, however none of
    58. 

  58.   //      our tests are rendering failed markdown so this is likely a safe
    59. 

  59.   //      tradeoff to turn off off the deprecation warning.
    60. 

  60.   silent: !!IS_ACCEPTANCE_TEST || NODE_ENV === 'test',
    61. 

  61. });
    62. 

  62. 

  63. const sanitizedMarked = (...args: Parameters<typeof marked>) =>
    64. 

  64.   dompurify.sanitize(marked(...args));
    65. 

  65. 

  66. const singleLineRenderer = (text: string, options: marked.MarkedOptions = {}) =>
    67. 

  67.   sanitizedMarked(text, {...options, renderer: new NoParagraphRenderer()});
    68. 

  68. 

  69. export {singleLineRenderer};
    70. 

  70. export default sanitizedMarked;
    71.