Merge pull request #573 from chalotrekking/develop

boutell · web-flow · commit e1034cf545bc · 2022-10-31T13:56:24.000-04:00
Upgrades `htmlparser2` to new major version `^8.0.0`.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased - Fix for Issue #565
+
+- Upgrades `htmlparser2` to new major version `^8.0.0`.
+
 ## 2.7.3 (2022-10-24)
 
 - If allowedTags is falsy but not exactly `false`, then do not assume that all tags are allowed. Rather, allow no tags in this case, to be on the safe side. This matches the existing documentation and fixes [issue #176](https://github.com/apostrophecms/sanitize-html/issues/176). Thanks to [Kedar Chandrayan](https://github.com/kedarchandrayan) for the fix.
diff --git a/package.json b/package.json
@@ -25,7 +25,7 @@
   "dependencies": {
     "deepmerge": "^4.2.2",
     "escape-string-regexp": "^4.0.0",
-    "htmlparser2": "^6.0.0",
+    "htmlparser2": "^8.0.0",
     "is-plain-object": "^5.0.0",
     "parse-srcset": "^1.0.2",
     "postcss": "^8.3.11"
diff --git a/test/test.js b/test/test.js
@@ -139,11 +139,11 @@ describe('sanitizeHtml', function() {
   it('should dump closing tags which do not have any opening tags.', function() {
     assert.equal(sanitizeHtml('<b><div/', {
       allowedTags: [ 'b' ]
-    }), '<b></b>');
+    }), '<b>/</b>');
 
     assert.equal(sanitizeHtml('<b><b<<div/', {
       allowedTags: [ 'b' ]
-    }), '<b></b>');
+    }), '<b>/</b>');
   });
   it('should tolerate not closed p tags', function() {
     assert.equal(sanitizeHtml('<div><p>inner text 1<p>inner text 2<p>inner text 3</div>'), '<div><p>inner text 1</p><p>inner text 2</p><p>inner text 3</p></div>');
@@ -172,11 +172,11 @@ describe('sanitizeHtml', function() {
     assert.equal(sanitizeHtml('<a href="java\0&#14;\t\r\n script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
   });
   it('should dump character codes 1-32 even when escaped with padding rather than trailing ;', function() {
-    assert.equal(sanitizeHtml('<a href="java&#0000001script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
+    assert.equal(sanitizeHtml('<a href="java&#0000001script:alert(\'foo\')">Hax</a>'), '<a href="java&amp;#0000001script:alert(\'foo\')">Hax</a>');
     // This one is weird, but the browser does not interpret it
     // as a scheme, so we're OK. That character is 65535, not null. I
     // think it's a limitation of the entities module
-    assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a href="java�script:alert(\'foo\')">Hax</a>');
+    assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a href="java&amp;#0000000script:alert(\'foo\')">Hax</a>');
   });
   it('should still like nice schemes', function() {
     assert.equal(sanitizeHtml('<a href="http://google.com/">Hi</a>'), '<a href="http://google.com/">Hi</a>');
