diff --git a/package.json b/package.json
index 0c85c42..1a4538b 100644
--- a/package.json
+++ b/package.json
@@ -31,6 +31,7 @@
"jsuri": "^1.3.0",
"marked": "^4.0.10",
"twemoji": "^13.1.0",
+ "xss": "^1.0.14",
"xtend": "^4.0.1"
},
"devDependencies": {
diff --git a/src/transform.ts b/src/transform.ts
index 20a1580..21ea207 100644
--- a/src/transform.ts
+++ b/src/transform.ts
@@ -5,6 +5,7 @@ import is from 'is';
import xtend from 'xtend';
import { Colors } from './base';
import { SafeString } from 'handlebars/runtime';
+import xss from 'xss';
var DEFAULT_COLORS = {
primary: '#ff4981',
@@ -101,10 +102,10 @@ export default function transform(options: TransformOptions) {
return {
intro: new SafeString(
- marked(options.intro || t('INTRO'), { renderer: renderer })
+ xss(marked(options.intro || t('INTRO'), { renderer: renderer }))
),
outro: new SafeString(
- marked(options.outro || t('OUTRO'), { renderer: renderer })
+ xss(marked(options.outro || t('OUTRO'), { renderer: renderer }))
),
question: t('HOW_LIKELY'),
colors: colors,
diff --git a/src/transformV2.ts b/src/transformV2.ts
index c897128..2223ca2 100644
--- a/src/transformV2.ts
+++ b/src/transformV2.ts
@@ -3,6 +3,7 @@ import is from 'is';
import Uri from 'jsuri';
import { marked } from 'marked';
import twemoji from 'twemoji';
+import xss from 'xss';
import {
BaseTemplateOptions,
@@ -142,8 +143,8 @@ export function transformV2(options: TransformV2Options): TemplateV2Options {
const direction = options.direction || 'ltr';
const templateOptions: BaseTemplateOptions = {
- intro: new SafeString(marked(options.intro, { renderer })),
- outro: new SafeString(marked(options.outro, { renderer })),
+ intro: new SafeString(xss(marked(options.intro, { renderer }))),
+ outro: new SafeString(xss(marked(options.outro, { renderer }))),
question: options.question.label,
colors: {
...DEFAULT_COLORS,
@@ -164,7 +165,10 @@ export function transformV2(options: TransformV2Options): TemplateV2Options {
botHoneypotUrl: options.botHoneypotUrl
};
- if (options.question.type === 'single-choice' || options.question.type === 'multiple-choice') {
+ if (
+ options.question.type === 'single-choice' ||
+ options.question.type === 'multiple-choice'
+ ) {
const choices = options.question.choices.map((choice) => {
return {
label: choice,
diff --git a/stories/nps.ts b/stories/nps.ts
index 1901070..5c6d798 100644
--- a/stories/nps.ts
+++ b/stories/nps.ts
@@ -39,6 +39,12 @@ export const markdown = () =>
outro: 'Bye **bye**'
});
+export const introXss = () =>
+ renderV2({
+ ...nps,
+ intro: '
PAYLOAD![]()
'
+ });
+
export const xss = () =>
renderV2({
...nps,
diff --git a/yarn.lock b/yarn.lock
index 45a4d0d..d252c0d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3193,7 +3193,7 @@ commander@2.17.x:
resolved "https://registry.yarnpkg.com/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf"
integrity sha512-wPMUt6FnH2yzG95SA6mzjQOEKUU3aLaDEmzs1ti+1E9h+CsrZghRlqEM/EJ4KscsQVG8uNN4uVreUeT8+drlgg==
-commander@^2.19.0, commander@^2.20.0, commander@~2.20.3:
+commander@^2.19.0, commander@^2.20.0, commander@^2.20.3, commander@~2.20.3:
version "2.20.3"
resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@@ -3588,6 +3588,11 @@ cssesc@^3.0.0:
resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
+cssfilter@0.0.10:
+ version "0.0.10"
+ resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.10.tgz#c6d2672632a2e5c83e013e6864a42ce8defd20ae"
+ integrity sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==
+
csstype@^2.2.0, csstype@^2.5.7:
version "2.6.7"
resolved "https://registry.yarnpkg.com/csstype/-/csstype-2.6.7.tgz#20b0024c20b6718f4eda3853a1f5a1cce7f5e4a5"
@@ -10501,6 +10506,14 @@ write-file-atomic@^4.0.0, write-file-atomic@^4.0.1:
imurmurhash "^0.1.4"
signal-exit "^3.0.7"
+xss@^1.0.14:
+ version "1.0.14"
+ resolved "https://registry.yarnpkg.com/xss/-/xss-1.0.14.tgz#4f3efbde75ad0d82e9921cc3c95e6590dd336694"
+ integrity sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==
+ dependencies:
+ commander "^2.20.3"
+ cssfilter "0.0.10"
+
xtend@^4.0.0, xtend@~4.0.1:
version "4.0.2"
resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"