refactor xss service

apps/app/src/services/xss/index.js → apps/app/src/services/xss/index.ts

@@ -1,26 +1,27 @@
-const xss = require('xss');
+import type { IFilterXSSOptions } from 'xss';
+import { FilterXSS } from 'xss';
+
+import type XssOption from './xssOption';
+
 const commonmarkSpec = require('./commonmark-spec');
 
 
 const REPETITIONS_NUM = 50;
 
-class Xss {
+export class Xss {
 
-  constructor(xssOption) {
-
-    xssOption = xssOption || {}; // eslint-disable-line no-param-reassign
+  myxss: FilterXSS;
 
-    const tagWhitelist = xssOption.tagWhitelist || [];
-    const attrWhitelist = xssOption.attrWhitelist || [];
+  constructor(xssOption: XssOption) {
 
-    const whitelistContent = {};
+    xssOption = xssOption || {}; // eslint-disable-line no-param-reassign
 
     // default
-    const option = {
+    const option: IFilterXSSOptions = {
       stripIgnoreTag: true,
       stripIgnoreTagBody: false, // see https://github.com/weseek/growi/pull/505
       css: false,
-      whitelist: whitelistContent,
+      whiteList: xssOption.attrWhitelist as Record<string, string[] | undefined>,
       escapeHtml: (html) => { return html }, // resolve https://github.com/weseek/growi/issues/221
       onTag: (tag, html, options) => {
         // pass autolink
@@ -30,15 +31,11 @@ class Xss {
       },
     };
 
-    tagWhitelist.forEach((tag) => {
-      whitelistContent[tag] = attrWhitelist;
-    });
-
     // create the XSS Filter instance
-    this.myxss = new xss.FilterXSS(option);
+    this.myxss = new FilterXSS(option);
   }
 
-  process(document) {
+  process(document: string): string {
     let count = 0;
     let currDoc = document;
     let prevDoc = document;
@@ -59,5 +56,3 @@ class Xss {
   }
 
 }
-
-module.exports = Xss;

apps/app/src/services/xss/xssOption.ts

@@ -1,32 +1,29 @@
-import { defaultSchema as sanitizeDefaultSchema } from 'rehype-sanitize';
+import type { Attributes } from 'hast-util-sanitize/lib';
 
 import type { RehypeSanitizeOption } from '~/interfaces/rehype';
-
-type tagWhitelist = typeof sanitizeDefaultSchema.tagNames;
-type attrWhitelist = typeof sanitizeDefaultSchema.attributes;
+import { tagNames as recommendedTagNames, attributes as recommendedAttributes } from '~/services/xss/recommended-whitelist';
 
 export type XssOptionConfig = {
   isEnabledXssPrevention: boolean,
   xssOption: RehypeSanitizeOption,
-  tagWhitelist: tagWhitelist,
-  attrWhitelist: attrWhitelist,
+  tagWhitelist: Array<string>,
+  attrWhitelist: Attributes,
 }
 
 export default class XssOption {
 
   isEnabledXssPrevention: boolean;
 
-  tagWhitelist: any[];
+  tagWhitelist: Array<string>;
 
-  attrWhitelist: any[];
+  attrWhitelist: Attributes;
 
   constructor(config: XssOptionConfig) {
-    const recommendedWhitelist = require('~/services/xss/recommended-whitelist');
     const initializedConfig: Partial<XssOptionConfig> = (config != null) ? config : {};
 
     this.isEnabledXssPrevention = initializedConfig.isEnabledXssPrevention || true;
-    this.tagWhitelist = initializedConfig.tagWhitelist || recommendedWhitelist.tags;
-    this.attrWhitelist = initializedConfig.attrWhitelist || recommendedWhitelist.attrs;
+    this.tagWhitelist = initializedConfig.tagWhitelist || recommendedTagNames;
+    this.attrWhitelist = initializedConfig.attrWhitelist || recommendedAttributes;
   }
 
 }