palcarazm / bootstrap5-toggle / 20899724107

95%

v5: 93%

push

github

fix(security): add HTML sanitization with allow-list for toggle labels  (#264)

* fix(security): add HTML sanitization with allow-list for toggle labels

Implement secure HTML sanitization using allow-list approach to prevent XSS
vulnerabilities while allowing safe HTML in toggle labels.

Key changes:
- Add sanitizeHTML() function with allow-list of tags and attributes
- Extend sanitize() to support TEXT and HTML modes
- Apply HTML sanitization to toggle labels (data-onlabel/data-offlabel)
- Maintain TEXT sanitization for other attributes for safety
- Add comprehensive unit tests for XSS prevention

Allows safe HTML formatting (bold, italic, icons) while blocking scripts,
event handlers, and dangerous protocols. Users can now safely include
icons and formatted text in toggle labels.

Fixes #257

* fix(security): add `vbscript:` to blocked URL schema

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor(security): improve HTML sanitization code quality and tests

- Refactor sanitizeHTML() to extract helper functions sanitizeNode() and sanitizeAllowedAttr()
- Fix SonarQube code smells:
  - S7735: Remove negated condition in if-else
  - S1523: Add comment explaining security detection vs execution
  - Eliminate 'else' block containing only 'if' statement
- Refactor Jest tests to use parametrized test.each() patterns
  - Reduce code duplication in test files
  - Add missing test case for vbscript: protocol blocking
  - Improve test maintainability and readability

No functional changes - security behavior remains identical while improving code quality metrics.

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

331 of 367 branches covered (90.19%)

Branch coverage included in aggregate %.

50 of 50 new or added lines in 2 files covered. (100.0%)

475 of 480 relevant lines covered (98.96%)

63.15 hits per line