Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(api): Allow style tags and attributes in the In-App & Email Editor #4841

Merged
merged 2 commits into from
Nov 14, 2023
Merged

feat(api): Allow style tags and attributes in the In-App & Email Editor #4841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8b9a8f7
feat(api): Allow use of style tags and attributes in the In-App & Ema…
rifont Nov 13, 2023
45da02d
Merge branch 'next' into nv-3026-on-update-button-click-css-styles-ar…
rifont Nov 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions apps/api/src/app/message-template/shared/sanitizer.service.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,40 @@ describe('HTML Sanitizer', function () {
]);
expect(result[0].content).to.equal('hello <b>bold</b> ');
});

it('should NOT sanitize style tags', function () {
const result = sanitizeMessageContent([
{
type: EmailBlockTypeEnum.TEXT,
content: '<style>p { color: red; }</style><p>Red Text</p>',
url: '',
},
]);

expect(result[0].content).to.equal('<style>p { color: red; }</style><p>Red Text</p>');
});

it('should NOT sanitize style attributes', function () {
const result = sanitizeMessageContent([
{
type: EmailBlockTypeEnum.TEXT,
content: '<p style="color: red;">Red Text</p>',
url: '',
},
]);

expect(result[0].content).to.equal('<p style="color: red;">Red Text</p>');
});

it('should NOT format style attributes', function () {
const result = sanitizeMessageContent([
{
type: EmailBlockTypeEnum.TEXT,
content: '<p style="color:red;">Red Text</p>',
url: '',
},
]);

expect(result[0].content).to.equal('<p style="color:red;">Red Text</p>');
});
});
36 changes: 35 additions & 1 deletion apps/api/src/app/message-template/shared/sanitizer.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,44 @@
import * as sanitize from 'sanitize-html';
import { IEmailBlock } from '@novu/shared';

/**
* Options for the sanitize-html library.
*
* @see https://www.npmjs.com/package/sanitize-html#default-options
*/
const sanitizeOptions: sanitize.IOptions = {
/**
* Additional tags to allow.
*/
allowedTags: sanitize.defaults.allowedTags.concat(['style']),
allowedAttributes: {
...sanitize.defaults.allowedAttributes,
/**
* Additional attributes to allow on all tags.
*/
'*': ['style'],
},
/**
* Required to disable console warnings when allowing style tags.
*
* We are allowing style tags to support the use of styles in the In-App Editor.
* This is a known security risk through an XSS attack vector,
* but we are accepting this risk by dropping support for IE11.
*
* @see https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html#remote-style-sheet
*/
allowVulnerableTags: true,
/**
* Required to disable formatting of style attributes. This is useful to retain
* formatting of style attributes in the In-App Editor.
*/
parseStyleAttributes: false,
};

export function sanitizeHTML(html: string) {
if (!html) return html;

return sanitize(html);
return sanitize(html, sanitizeOptions);
}

export function sanitizeMessageContent(content: string | IEmailBlock[]) {
Expand Down
Loading