15434290827

Committed 04 Jun 2025 05:23AM CUT coverage: 96.074% (+0.07%) from 96.003%

Build # 15434290827

Build Type

push

github

Committed by

web-flow

Commit Message

Build(deps-dev): Bump zod from 3.25.48 to 3.25.49 (#41513)

Bumps the development-dependencies group with 1 update: [zod](https://github.com/colinhacks/zod).


Updates `zod` from 3.25.48 to 3.25.49
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v3.25.48...v3.25.49)

---
updated-dependencies:
- dependency-name: zod
  dependency-version: 3.25.49
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Run Details

668 of 728 branches covered (91.76%)

Branch coverage included in aggregate %.

2024 of 2074 relevant lines covered (97.59%)

360.98 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.24

/js/src/util/sanitizer.js

/**
 * --------------------------------------------------------------------------
 * Bootstrap util/sanitizer.js
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
 * --------------------------------------------------------------------------
 */

// js-docs-start allow-list
const ARIA_ATTRIBUTE_PATTERN = /^aria-[\w-]*$/i

export const DefaultAllowlist = {
  // Global attributes allowed on any supplied element below.
  '*': ['class', 'dir', 'id', 'lang', 'role', ARIA_ATTRIBUTE_PATTERN],
  a: ['target', 'href', 'title', 'rel'],
  area: [],
  b: [],
  br: [],
  col: [],
  code: [],
  dd: [],
  div: [],
  dl: [],
  dt: [],
  em: [],
  hr: [],
  h1: [],
  h2: [],
  h3: [],
  h4: [],
  h5: [],
  h6: [],
  i: [],
  img: ['src', 'srcset', 'alt', 'title', 'width', 'height'],
  li: [],
  ol: [],
  p: [],
  pre: [],
  s: [],
  small: [],
  span: [],
  sub: [],
  sup: [],
  strong: [],
  u: [],
  ul: []
}
// js-docs-end allow-list

const uriAttributes = new Set([
  'background',
  'cite',
  'href',
  'itemtype',
  'longdesc',
  'poster',
  'src',
  'xlink:href'
])

/**
 * A pattern that recognizes URLs that are safe wrt. XSS in URL navigation
 * contexts.
 *
 * Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L38
 */
const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i

const allowedAttribute = (attribute, allowedAttributeList) => {
  const attributeName = attribute.nodeName.toLowerCase()

  if (allowedAttributeList.includes(attributeName)) {
    if (uriAttributes.has(attributeName)) {
      return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue))
    }

    return true
  }

  // Check if a regular expression validates the attribute.
  return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)
    .some(regex => regex.test(attributeName))
}

export function sanitizeHtml(unsafeHtml, allowList, sanitizeFunction) {
  if (!unsafeHtml.length) {
    return unsafeHtml
  }

  if (sanitizeFunction && typeof sanitizeFunction === 'function') {
    return sanitizeFunction(unsafeHtml)
  }

  const domParser = new window.DOMParser()
  const createdDocument = domParser.parseFromString(unsafeHtml, 'text/html')
  const elements = [].concat(...createdDocument.body.querySelectorAll('*'))

  for (const element of elements) {
    const elementName = element.nodeName.toLowerCase()

    if (!Object.keys(allowList).includes(elementName)) {
      element.remove()
      continue
    }

    const attributeList = [].concat(...element.attributes)
    const allowedAttributes = [].concat(allowList['*'] || [], allowList[elementName] || [])

    for (const attribute of attributeList) {
      if (!allowedAttribute(attribute, allowedAttributes)) {
        element.removeAttribute(attribute.nodeName)
      }
    }
  }

  return createdDocument.body.innerHTML
}

1	/**
2	* --------------------------------------------------------------------------
3	* Bootstrap util/sanitizer.js
4	* Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
5	* --------------------------------------------------------------------------
6	*/
7
8	// js-docs-start allow-list
9	const ARIA_ATTRIBUTE_PATTERN = /^aria-[\w-]*$/i	4✔
10
11	export const DefaultAllowlist = {	4✔
12	// Global attributes allowed on any supplied element below.
13	'*': ['class', 'dir', 'id', 'lang', 'role', ARIA_ATTRIBUTE_PATTERN],
14	a: ['target', 'href', 'title', 'rel'],
15	area: [],
16	b: [],
17	br: [],
18	col: [],
19	code: [],
20	dd: [],
21	div: [],
22	dl: [],
23	dt: [],
24	em: [],
25	hr: [],
26	h1: [],
27	h2: [],
28	h3: [],
29	h4: [],
30	h5: [],
31	h6: [],
32	i: [],
33	img: ['src', 'srcset', 'alt', 'title', 'width', 'height'],
34	li: [],
35	ol: [],
36	p: [],
37	pre: [],
38	s: [],
39	small: [],
40	span: [],
41	sub: [],
42	sup: [],
43	strong: [],
44	u: [],
45	ul: []
46	}
47	// js-docs-end allow-list
48
49	const uriAttributes = new Set([	4✔
50	'background',
51	'cite',
52	'href',
53	'itemtype',
54	'longdesc',
55	'poster',
56	'src',
57	'xlink:href'
58	])
59
60	/**
61	* A pattern that recognizes URLs that are safe wrt. XSS in URL navigation
62	* contexts.
63	*
64	* Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L38
65	*/
66	const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:\|[^&:/?#]*(?:[/?#]\|$))/i	4✔
67
68	const allowedAttribute = (attribute, allowedAttributeList) => {	4✔
69	const attributeName = attribute.nodeName.toLowerCase()	339✔
70
71	if (allowedAttributeList.includes(attributeName)) {	339✔
72	if (uriAttributes.has(attributeName)) {	334✔
73	return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue))	38✔
74	}
75
76	return true	296✔
77	}
78
79	// Check if a regular expression validates the attribute.
80	return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)	49✔
81	.some(regex => regex.test(attributeName))	6✔
82	}
83
84	export function sanitizeHtml(unsafeHtml, allowList, sanitizeFunction) {
85	if (!unsafeHtml.length) {	127✔
86	return unsafeHtml	1✔
87	}
88
89	if (sanitizeFunction && typeof sanitizeFunction === 'function') {	126✔
90	return sanitizeFunction(unsafeHtml)	1✔
91	}
92
93	const domParser = new window.DOMParser()	125✔
94	const createdDocument = domParser.parseFromString(unsafeHtml, 'text/html')	125✔
95	const elements = [].concat(...createdDocument.body.querySelectorAll('*'))	125✔
96
97	for (const element of elements) {	125✔
98	const elementName = element.nodeName.toLowerCase()	360✔
99
100	if (!Object.keys(allowList).includes(elementName)) {	360✔
101	element.remove()	2✔
102	continue	2✔
103	}
104
105	const attributeList = [].concat(...element.attributes)	358✔
106	const allowedAttributes = [].concat(allowList['*'] \|\| [], allowList[elementName] \|\| [])	358!
107
108	for (const attribute of attributeList) {	358✔
109	if (!allowedAttribute(attribute, allowedAttributes)) {	339✔
110	element.removeAttribute(attribute.nodeName)	17✔
111	}
112	}
113	}
114
115	return createdDocument.body.innerHTML	125✔
116	}

twbs / bootstrap / 15434290827

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous