add test

apps/app/src/services/xss/index.ts

@@ -0,0 +1 @@
+export * from './xss';

apps/app/src/services/xss/xss.spec.ts

@@ -0,0 +1,44 @@
+import { Xss } from './xss';
+
+describe('XSSService', () => {
+
+  describe('without config', () => {
+    const xss = new Xss();
+
+    test('should be sanitize script tag', () => {
+      // Act
+      const result = xss.process('<script>alert("XSS")</script>');
+
+      // Assert
+      expect(result).toBe('alert("XSS")');
+    });
+
+    test('should be sanitize nested script tag recursively', () => {
+      // Act
+      const result = xss.process('<scr<script>ipt>alert("XSS")</scr<script>ipt>');
+
+      // Assert
+      expect(result).toBe('alert("XSS")');
+    });
+
+    // for https://github.com/weseek/growi/issues/221
+    test('should not be sanitize blockquote', () => {
+      // Act
+      const result = xss.process('> foo\n> bar');
+
+      // Assert
+      expect(result).toBe('> foo\n> bar');
+    });
+
+    // https://github.com/weseek/growi/pull/505
+    test('should not be sanitize next closing-tag', () => {
+      // Act
+      const result = xss.process('<code /><span>text</span>');
+
+      // Assert
+      expect(result).toBe('text');
+    });
+
+  });
+
+});

apps/app/src/services/xss/xss.ts

@@ -1,10 +1,9 @@
 import type { IFilterXSSOptions } from 'xss';
 import { FilterXSS } from 'xss';
 
+import commonmarkSpec from './commonmark-spec';
 import type XssOption from './xssOption';
 
-const commonmarkSpec = require('./commonmark-spec');
-
 
 const REPETITIONS_NUM = 50;
 
@@ -14,7 +13,6 @@ export class Xss {
 
   constructor(xssOption?: XssOption) {
 
-    // default
     const option: IFilterXSSOptions = {
       stripIgnoreTag: true,
       stripIgnoreTagBody: false, // see https://github.com/weseek/growi/pull/505
@@ -23,7 +21,7 @@ export class Xss {
         ? xssOption.attrWhitelist as Record<string, string[] | undefined>
         : {},
       escapeHtml: (html) => { return html }, // resolve https://github.com/weseek/growi/issues/221
-      onTag: (tag, html, options) => {
+      onTag: (tag, html) => {
         // pass autolink
         if (tag.match(commonmarkSpec.uriAutolinkRegexp) || tag.match(commonmarkSpec.emailAutolinkRegexp)) {
           return html;

apps/app/src/services/xss/xssOption.ts

@@ -6,8 +6,8 @@ import { tagNames as recommendedTagNames, attributes as recommendedAttributes }
 export type XssOptionConfig = {
   isEnabledXssPrevention: boolean,
   xssOption: RehypeSanitizeOption,
-  tagWhitelist: Array<string>,
-  attrWhitelist: Attributes,
+  customTagWhitelist: Array<string>,
+  customAttrWhitelist: Attributes,
 }
 
 export default class XssOption {
@@ -22,8 +22,8 @@ export default class XssOption {
     const initializedConfig: Partial<XssOptionConfig> = (config != null) ? config : {};
 
     this.isEnabledXssPrevention = initializedConfig.isEnabledXssPrevention ?? true;
-    this.tagWhitelist = initializedConfig.tagWhitelist || recommendedTagNames;
-    this.attrWhitelist = initializedConfig.attrWhitelist || recommendedAttributes;
+    this.tagWhitelist = initializedConfig.customTagWhitelist || recommendedTagNames;
+    this.attrWhitelist = initializedConfig.customAttrWhitelist || recommendedAttributes;
   }
 
 }