🤖 Merge PR #47384 update(sanitize-html): v1.27 updates by @peterblazejewicz

- `allowedIframeDomains` option
- `allowVulnerableTags` option
- default linter settings applied, removing linter errors
- `interface-name` exclusion left as inline option
- version bump

https://github.com/apostrophecms/sanitize-html/compare/1.22.0...1.27.4

Thanks!

types/sanitize-html/index.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for sanitize-html 1.23.0
+// Type definitions for sanitize-html 1.27
 // Project: https://github.com/punkave/sanitize-html
 // Definitions by: Rogier Schouten <https://github.com/rogierschouten>
 //                 Afshin Darian <https://github.com/afshin>
@@ -13,7 +13,6 @@
 //                 Dariusz Syncerek <https://github.com/dsyncerek>
 //                 Piotr Błażejewicz <https://github.com/peterblazejewicz>
 // Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
-// TypeScript Version: 2.2
 
 import { ParserOptions } from "htmlparser2";
 
@@ -22,11 +21,9 @@ export = sanitize;
 declare function sanitize(dirty: string, options?: sanitize.IOptions): string;
 
 declare namespace sanitize {
-  type Attributes = { [attr: string]: string };
-
-
-  type Tag = { tagName: string; attribs: Attributes; text?: string; };
+  interface Attributes { [attr: string]: string; }
 
+  interface Tag { tagName: string; attribs: Attributes; text?: string; }
 
   type Transformer = (tagName: string, attribs: Attributes) => Tag;
 
@@ -34,6 +31,7 @@ declare namespace sanitize {
 
   type DisallowedTagsModes = 'discard' | 'escape' | 'recursiveEscape';
 
+  // tslint:disable-next-line:interface-name
   interface IDefaults {
     allowedAttributes: { [index: string]: AllowedAttribute[] };
     allowedSchemes: string[];
@@ -46,6 +44,7 @@ declare namespace sanitize {
     selfClosing: string[];
   }
 
+  // tslint:disable-next-line:interface-name
   interface IFrame {
     tag: string;
     attribs: { [index: string]: string };
@@ -53,11 +52,12 @@ declare namespace sanitize {
     tagPosition: number;
   }
 
-
+  // tslint:disable-next-line:interface-name
   interface IOptions {
     allowedAttributes?: { [index: string]: AllowedAttribute[] } | boolean;
-    allowedStyles?:  { [index: string]: { [index: string]: RegExp[] } };
+    allowedStyles?: { [index: string]: { [index: string]: RegExp[] } };
     allowedClasses?: { [index: string]: string[] | boolean };
+    allowedIframeDomains?: string[];
     allowedIframeHostnames?: string[];
     allowIframeRelativeUrls?: boolean;
     allowedSchemes?: string[] | boolean;
@@ -65,7 +65,8 @@ declare namespace sanitize {
     allowedSchemesAppliedToAttributes?: string[];
     allowProtocolRelative?: boolean;
     allowedTags?: string[] | boolean;
-    textFilter?: (text: string, tagName: string) => string; 
+    allowVulnerableTags?: boolean;
+    textFilter?: (text: string, tagName: string) => string;
     exclusiveFilter?: (frame: IFrame) => boolean;
     nonTextTags?: string[];
     selfClosing?: string[];
@@ -81,9 +82,7 @@ declare namespace sanitize {
     enforceHtmlBoundary?: boolean;
   }
 
-
-  var defaults: IDefaults;
-
+  let defaults: IDefaults;
 
   function simpleTransform(tagName: string, attribs: Attributes, merge?: boolean): Transformer;
 }

types/sanitize-html/sanitize-html-tests.ts

@@ -1,10 +1,10 @@
 import sanitize = require('sanitize-html');
 
-let options: sanitize.IOptions = {
+const options: sanitize.IOptions = {
   allowedTags: sanitize.defaults.allowedTags.concat('h1', 'h2', 'img'),
   allowedAttributes: {
-    'a': sanitize.defaults.allowedAttributes['a'].concat('rel'),
-    'img': ['src', 'height', 'width', 'alt', 'style']
+    a: sanitize.defaults.allowedAttributes['a'].concat('rel'),
+    img: ['src', 'height', 'width', 'alt', 'style']
   },
   allowedClasses: {
     a: ['className'],
@@ -17,23 +17,25 @@ let options: sanitize.IOptions = {
         'background-color': [/^#0000FF$/]
       }
   },
+  allowedIframeDomains: ['zoom.us'],
   allowedIframeHostnames: ['www.youtube.com'],
   allowedSchemesAppliedToAttributes: [ 'href', 'src', 'cite' ],
     transformTags: {
-    'a': sanitize.simpleTransform('a', { 'rel': 'nofollow' }),
-    'img': (tagName: string, attribs: sanitize.Attributes) => {
-      let img = { tagName, attribs };
+    a: sanitize.simpleTransform('a', { rel: 'nofollow' }),
+    img: (tagName: string, attribs: sanitize.Attributes) => {
+      const img = { tagName, attribs };
       img.attribs['alt'] = 'transformed' ;
       return img;
     }
   },
   textFilter: (text, _) => text,
   allowIframeRelativeUrls: false,
-  exclusiveFilter: function(frame: sanitize.IFrame) {
+  allowVulnerableTags: true,
+  exclusiveFilter(frame: sanitize.IFrame) {
     return frame.tag === 'a' && !frame.text.trim();
   },
   allowedSchemesByTag: {
-    'a': ['http', 'https']
+    a: ['http', 'https']
   },
   allowProtocolRelative: false,
   disallowedTagsMode: 'escape',
@@ -50,7 +52,7 @@ sanitize.defaults.disallowedTagsMode; // $ExpectType string
 sanitize.defaults.enforceHtmlBoundary; // $ExpectType boolean
 sanitize.defaults.selfClosing; // $ExpectType string[]
 
-let unsafe = '<div><script>alert("hello");</script></div>';
+const unsafe = '<div><script>alert("hello");</script></div>';
 
 let safe = sanitize(unsafe, options);
 

types/sanitize-html/tslint.json

@@ -1,21 +1,3 @@
 {
-    "extends": "dtslint/dt.json",
-    "rules": {
-        "callable-types": false,
-        "comment-format": false,
-        "dt-header": false,
-        "interface-name": false,
-        "interface-over-type-literal": false,
-        "no-consecutive-blank-lines": false,
-        "no-redundant-jsdoc": false,
-        "no-reference-import": false,
-        "no-trailing-whitespace": false,
-        "no-var-keyword": false,
-        "object-literal-key-quotes": false,
-        "object-literal-shorthand": false,
-        "only-arrow-functions": false,
-        "prefer-const": false,
-        "prefer-method-signature": false,
-        "typedef-whitespace": false
-    }
+    "extends": "dtslint/dt.json"
 }