Merge pull request #34 from Stassi/feature/sanitize-leaflet

feature/sanitize-leaflet
Stassi · Sep 28, 2024 · 9b838fc · 9b838fc
2 parents 8c9e174 + fdfdff3
commit 9b838fc
Show file tree

Hide file tree

Showing 3 changed files with 172 additions and 5 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stassi/leaf",
-  "version": "0.0.33",
+  "version": "0.0.34",
   "description": "Leaflet adapter.",
   "keywords": [
     "cartography",
@@ -61,7 +61,9 @@
     "@babel/eslint-parser": "^7.25.1",
     "@babel/plugin-syntax-import-attributes": "^7.25.6",
     "@rollup/plugin-commonjs": "^26.0.1",
+    "@rollup/plugin-inject": "^5.0.5",
     "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-replace": "^6.0.1",
     "@rollup/plugin-terser": "^0.4.4",
     "@rollup/plugin-typescript": "^11.1.6",
     "@types/jest": "^29.5.13",
@@ -70,6 +72,7 @@
     "@typescript-eslint/eslint-plugin": "^7.1.1",
     "@typescript-eslint/parser": "^7.1.1",
     "@vercel/style-guide": "^6.0.0",
+    "dompurify": "^3.1.7",
     "eslint": ">=8.48.0 <9",
     "eslint-config-prettier": "^9.1.0",
     "eslint-import-resolver-typescript": "^3.6.3",
@@ -85,6 +88,7 @@
     "prettier": "3.3.3",
     "puppeteer": "^23.4.0",
     "rollup": "^4.22.4",
+    "rollup-plugin-modify": "^3.0.0",
     "shx": "^0.3.4",
     "ts-jest": "^29.2.5",
     "typescript": "^5.6.2"

diff --git a/rollup.config.ts b/rollup.config.ts
@@ -1,8 +1,19 @@
+// noinspection JSUnusedGlobalSymbols
+
 import commonjs from '@rollup/plugin-commonjs'
+import inject from '@rollup/plugin-inject'
 import terser from '@rollup/plugin-terser'
 import typescript from '@rollup/plugin-typescript'
+// @ts-expect-error -- untyped plugin
+import untypedModify from 'rollup-plugin-modify'
 import { nodeResolve } from '@rollup/plugin-node-resolve'
-import { type RollupOptions } from 'rollup'
+import { type Plugin, type RollupOptions } from 'rollup'
+
+// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- untyped plugin
+const modify: (modifyOptions: {
+  find: string | RegExp
+  replace: string | ((match: string, element: string, value: string) => string)
+}) => Plugin = untypedModify
 
 const rollupConfig: RollupOptions = {
   input: 'src/index.ts',
@@ -14,8 +25,16 @@ const rollupConfig: RollupOptions = {
     },
   ],
   plugins: [
-    nodeResolve(),
     commonjs(),
+    modify({
+      find: /(?<element>.*)\.innerHTML\s*=\s*(?<value>.*);/,
+      replace: (_match: string, element: string, value: string): string =>
+        `${element}.innerHTML = DOMPurify.sanitize(${value});`,
+    }),
+    inject({
+      DOMPurify: 'dompurify',
+    }),
+    nodeResolve(),
     typescript({
       exclude: ['rollup.config.ts'],
     }),