DOP-5126: Sanitize input for SoftwareSourceCode structured data (#1292)

mongodb · Oct 28, 2024 · aa37b02 · aa37b02
1 parent a263043
commit aa37b02
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/src/utils/structured-data.js b/src/utils/structured-data.js
@@ -6,6 +6,7 @@
  * Optional overwrites can be set in params as default values
  */
 
+import sanitize from 'sanitize-html';
 import { getFullLanguageName } from './get-language';
 import { findKeyValuePair } from './find-key-value-pair';
 import { getPlaintext } from './get-plaintext';
@@ -97,7 +98,8 @@ export class SoftwareSourceCodeSd extends StructuredData {
   constructor({ code, lang, slug }) {
     super('SoftwareSourceCode');
     this.codeSampleType = 'code snippet';
-    this.text = code;
+    // Sanitize all input in case HTML snippets are labeled with different language
+    this.text = sanitize(code, { disallowedTagsMode: 'escape' });
 
     const programmingLanguage = getFullLanguageName(lang, slug);
     if (programmingLanguage) {

diff --git a/tests/unit/utils/__snapshots__/structured-data.test.js.snap b/tests/unit/utils/__snapshots__/structured-data.test.js.snap
@@ -77,6 +77,15 @@ SoftwareSourceCodeSd {
 }
 `;
 
+exports[`Structured Data SoftwareSourceCode sanitizes and escapes unsafe HTML examples 1`] = `
+SoftwareSourceCodeSd {
+  "@context": "https://schema.org",
+  "@type": "SoftwareSourceCode",
+  "codeSampleType": "code snippet",
+  "text": " &lt;script&gt;&lt;/script&gt;  &lt;script&gt; const app = new Realm.App({ id: "&lt;your_realm_app_id&gt;", }); // Callback used in \`data-callback\` to handle Google's response and log user into App Services function handleCredentialsResponse(response) { const credentials = Realm.Credentials.google({ idToken: response.credential }); app .logIn(credentials) .then((user) =&gt; alert(\`Logged in with id: user.id\`)); } &lt;/script&gt;",
+}
+`;
+
 exports[`Structured Data VideoObject returns valid structured data with description 1`] = `
 VideoObjectSd {
   "@context": "https://schema.org",

diff --git a/tests/unit/utils/structured-data.test.js b/tests/unit/utils/structured-data.test.js
@@ -24,6 +24,14 @@ describe('Structured Data', () => {
       expect(softwareSourceCodeSd.isValid()).toBeTruthy();
       expect(softwareSourceCodeSd).toMatchSnapshot();
     });
+
+    it('sanitizes and escapes unsafe HTML examples', () => {
+      const code =
+        '<!-- Load Google One Tap --> <script src="https://accounts.google.com/gsi/clien"></script> <!-- Log in with Realm and Google Authentication --> <script async defer> const app = new Realm.App({ id: "<your_realm_app_id>", }); // Callback used in `data-callback` to handle Google\'s response and log user into App Services function handleCredentialsResponse(response) { const credentials = Realm.Credentials.google({ idToken: response.credential }); app .logIn(credentials) .then((user) => alert(`Logged in with id: user.id`)); } </script>';
+      const softwareSourceCodeSd = new SoftwareSourceCodeSd({ code });
+      expect(softwareSourceCodeSd.isValid()).toBeTruthy();
+      expect(softwareSourceCodeSd).toMatchSnapshot();
+    });
   });
 
   describe('VideoObject', () => {