Merge pull request #623 from KevinSJ/main

boutell · web-flow · commit 7df9d8b0d922 · 2023-06-13T09:39:53.000-04:00
Bug Fix: allow false in allowedClasses
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## UNRELEASED
 
+- Fix to allow `false` in `allowedClasses` attributes
 - Upgrade mocha version
 - Apply small linter fixes in tests
 - Add `.idea` temp files to `.gitignore`
diff --git a/README.md b/README.md
@@ -320,6 +320,8 @@ allowedClasses: {
 }
 ```
 
+If `allowedClasses` for a certain tag is `false`, all the classes for this tag will be allowed.
+
 > Note: It is advised that your regular expressions always begin with `^` so that you are requiring a known prefix. A regular expression with neither `^` nor `$` just requires that something appear in the middle.
 
 ### Allowed CSS Styles
diff --git a/index.js b/index.js
@@ -170,20 +170,24 @@ function sanitizeHtml(html, options, _recursing) {
       allowedAttributesMap[tag].push('class');
     }
 
-    allowedClassesMap[tag] = [];
-    allowedClassesRegexMap[tag] = [];
-    const globRegex = [];
-    classes.forEach(function(obj) {
-      if (typeof obj === 'string' && obj.indexOf('*') >= 0) {
-        globRegex.push(escapeStringRegexp(obj).replace(/\\\*/g, '.*'));
-      } else if (obj instanceof RegExp) {
-        allowedClassesRegexMap[tag].push(obj);
-      } else {
-        allowedClassesMap[tag].push(obj);
+    allowedClassesMap[tag] = classes;
+
+    if (Array.isArray(classes)) {
+      const globRegex = [];
+      allowedClassesMap[tag] = [];
+      allowedClassesRegexMap[tag] = [];
+      classes.forEach(function(obj) {
+        if (typeof obj === 'string' && obj.indexOf('*') >= 0) {
+          globRegex.push(escapeStringRegexp(obj).replace(/\\\*/g, '.*'));
+        } else if (obj instanceof RegExp) {
+          allowedClassesRegexMap[tag].push(obj);
+        } else {
+          allowedClassesMap[tag].push(obj);
+        }
+      });
+      if (globRegex.length) {
+        allowedClassesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$');
       }
-    });
-    if (globRegex.length) {
-      allowedClassesGlobMap[tag] = new RegExp('^(' + globRegex.join('|') + ')$');
     }
   });
 
diff --git a/test/test.js b/test/test.js
@@ -482,6 +482,20 @@ describe('sanitizeHtml', function() {
       '<p class="nifty simple dippy">whee</p>'
     );
   });
+  it('should allow all classes for a single tag if `allowedClasses` for the tag is false', function() {
+    assert.equal(
+      sanitizeHtml(
+        '<p class="nifty simple dippy">whee</p>',
+        {
+          allowedTags: [ 'p' ],
+          allowedClasses: {
+            p: false
+          }
+        }
+      ),
+      '<p class="nifty simple dippy">whee</p>'
+    );
+  });
   it('should allow only classes that matches `allowedClasses` regex', function() {
     assert.equal(
       sanitizeHtml(

Original file line number	Diff line number	Diff line change
`@@ -320,6 +320,8 @@ allowedClasses: {`
`320`	`320`	`}`
`321`	`321`	```
`322`	`322`
	`323`	+If `allowedClasses` for a certain tag is `false`, all the classes for this tag will be allowed.
	`324`	`+`
`323`	`325`	> Note: It is advised that your regular expressions always begin with `^` so that you are requiring a known prefix. A regular expression with neither `^` nor `$` just requires that something appear in the middle.
`324`	`326`
`325`	`327`	`### Allowed CSS Styles`