grafana/public/app/core/utils/text.ts

import xss from 'xss';

const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
  // @ts-ignore
  acc[element] = xss.whiteList[element].concat(['class', 'style']);
  return acc;
}, {});

const sanitizeXSS = new xss.FilterXSS({
  whiteList: XSSWL,
});

/**
 * Returns string safe from XSS attacks.
 *
 * Even though we allow the style-attribute, there's still default filtering applied to it
 * Info: https://github.com/leizongmin/js-xss#customize-css-filter
 * Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
 */
export function sanitize(unsanitizedString: string): string {
  try {
    return sanitizeXSS.process(unsanitizedString);
  } catch (error) {
    console.log('String could not be sanitized', unsanitizedString);
    return unsanitizedString;
  }
}

export function hasAnsiCodes(input: string): boolean {
  return /\u001b\[\d{1,2}m/.test(input);
}

export function escapeHtml(str: string): string {
  return String(str)
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;');
}
feat: wip: Sanitize user input on text panel 2019-01-17 14:44:52 +01:00			`import xss from 'xss';`
Explore: highlight typed text in suggestions - use react-highlight-words - add highlighting (color and border) to the matching substring of the suggested items in the typeahead - extracted match finding from logging datasource - created new utils/text.ts class for text-related functions - added more types 2018-10-05 13:00:45 +02:00
fix: Use custom whitelist for XSS sanitizer to allow class and style attributes 2019-01-23 11:27:02 +01:00			`const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {`
Chore: noImplictAny no errors left (#18303) * Add types and rewrite datasourceChanged to async/await 2019-08-01 14:38:34 +02:00			`// @ts-ignore`
fix: Use custom whitelist for XSS sanitizer to allow class and style attributes 2019-01-23 11:27:02 +01:00			`acc[element] = xss.whiteList[element].concat(['class', 'style']);`
			`return acc;`
			`}, {});`

			`const sanitizeXSS = new xss.FilterXSS({`
Prettier had not been running as a precommit hook for some time so had to run in on all files again 2019-02-13 11:14:53 +01:00			`whiteList: XSSWL,`
fix: Use custom whitelist for XSS sanitizer to allow class and style attributes 2019-01-23 11:27:02 +01:00			`});`

			`/**`
			`* Returns string safe from XSS attacks.`
			`*`
			`* Even though we allow the style-attribute, there's still default filtering applied to it`
			`* Info: https://github.com/leizongmin/js-xss#customize-css-filter`
			`* Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js`
			`*/`
Prettier had not been running as a precommit hook for some time so had to run in on all files again 2019-02-13 11:14:53 +01:00			`export function sanitize(unsanitizedString: string): string {`
feat: wip: Sanitize user input on text panel 2019-01-17 14:44:52 +01:00			`try {`
fix: Use custom whitelist for XSS sanitizer to allow class and style attributes 2019-01-23 11:27:02 +01:00			`return sanitizeXSS.process(unsanitizedString);`
feat: wip: Sanitize user input on text panel 2019-01-17 14:44:52 +01:00			`} catch (error) {`
			`console.log('String could not be sanitized', unsanitizedString);`
			`return unsanitizedString;`
			`}`
			`}`
Support ANSI colors codes in Loki logs Closes #15114 2019-02-08 00:44:09 +08:00
			`export function hasAnsiCodes(input: string): boolean {`
			`return /\u001b\[\d{1,2}m/.test(input);`
			`}`
Panel: Fully escape html in drilldown links (was only sanitized before) (#17731) * Sanitize HTML * Replace sanitization lib and check for config * Add htmlToText * Refactor: Renaming htmlToText to escapeHtml 2019-06-25 09:06:28 +02:00
			`export function escapeHtml(str: string): string {`
			`return String(str)`
			`.replace(/&/g, '&')`
			`.replace(/</g, '<')`
			`.replace(/>/g, '>')`
			`.replace(/"/g, '"');`
			`}`