feat: Use Trusted Types in MyFeedElement - simplify JSON feed (#62)(#29)

Author: nfreear

demo/my-trusted-types.html

@@ -1,14 +1,31 @@
 <!doctype html><html lang="en">
 
+<meta
+  http-equiv="Content-Security-Policy"
+  content="require-trusted-types-for 'script'; trusted-types allowAnchor allowAnchorListPlus"
+>
+
 <link rel="stylesheet" href="style/app.v2.css">
 <style>
-  #myDiv { line-height: 1.7; }
+  #myDiv {
+    background: #eee;
+    border: 1px solid silver;
+    line-height: 1.8;
+    margin: 2rem 0;
+    padding: 1rem;
+  }
 </style>
 
 <title>Trusted Types test</title>
 
 <h1>Trusted Types test</h1>
 
+<p>Uses a <tt>Content-Security-Policy</tt> header with <tt>require-trusted-types-for</tt>.
+  And, uses the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API">Trusted Types API</a>
+  to sanitize input HTML data.
+</p>
+
+
 <div id="myDiv">Loading Trusted Types polyfill...</div>
 
 
@@ -56,8 +73,11 @@ <h1>Trusted Types test</h1>
     const escaped = myTrustedTypes.createHTML('allowAnchor', uncleanHTML);
 
     console.assert(escaped instanceof TrustedHTML, 'Expecting trustedHTML');
-    console.log('Trusted HTML?', myTrustedTypes, escaped.toString()); // true
+    console.log('Trusted HTML?', myTrustedTypes, escaped); // true
 
-    elem.innerHTML = escaped.toString();
+    // elem.innerHTML = 'Hello world!'; // "my-trusted-types.html:64 This document requires 'TrustedHTML' assignment."
+    elem.innerHTML = escaped;
   })();
 </script>
+
+</html>

demo/style/app.v2.css

@@ -75,6 +75,7 @@ h2 {
 body {
   color: #222;
   font-family: sans-serif;
+  line-height: 1.6;
   margin: auto;
   max-width: 36rem;
   padding: 0 1rem;

src/build/feed.js

@@ -58,13 +58,13 @@ function metaDataToFeed (data) {
     const tags = status ? status.split(/, ?/) : [];
     const url = `${GH_URL}/${fileName}`;
     // eslint-disable-next-line camelcase
-    const content_html = `<p part="p">${desc}</p>
+    const content_html = `<p>${desc}</p>
 <ul>
-<li><i part="k i">Demo:</i> <a href="${demoUrl || '#'}">${demoUrl}</a>
-<li><i part="k i">Status:</i> ${status || ''}
-<li><i part="k i">className:</i> <code>${className}</code>
-<li><i part="k i">parentClass:</i> <code>${parentClass}</code>
-<li><i part="k i">tagName:</i> <code>&lt;${tagName}></code>
+<li><x>Demo:</x> <a href="${demoUrl || '#'}">${demoUrl}</a>
+<li><x>Status:</x> ${status || ''}
+<li><x>className:</x> <code>${className}</code>
+<li><x>parentClass:</x> <code>${parentClass}</code>
+<li><x>tagName:</x> <code>&lt;${tagName}></code>
 </ul>`;
 
     return { id, title, url, tags, content_html, _ext: it }; /* eslint-disable-line camelcase */

src/components/MyAnalyticsElement.js

@@ -3,7 +3,7 @@ const { HTMLElement, localStorage } = window;
 /**
  * Embed analytics without cookies.
  *
- * Easily embed Google Analytics - use <tt>localStorage</tt> instead of cookies, and anonyise the IP address.
+ * Easily embed Google Analytics - use <code>localStorage</code> instead of cookies, and anonyise the IP address.
  *
  * @copyright © Nick Freear, 28-June-2021.
  *

src/components/MyFeedElement.js

@@ -1,4 +1,5 @@
 import { appendTemplate, safeUrl, strip } from '../util/attachTemplate.js';
+import MyTrustedTypes from '../util/MyTrustedTypes.js';
 // Was: import MyElement from '../MyElement.js';
 
 const { fetch, HTMLElement, Request, location } = window;
@@ -15,6 +16,8 @@ const { fetch, HTMLElement, Request, location } = window;
  * @since 1.3.0
  */
 export class MyFeedElement extends HTMLElement {
+  #trustedTypes;
+
   static getTag () { return 'my-feed'; }
 
   get href () {
@@ -45,6 +48,7 @@ export class MyFeedElement extends HTMLElement {
   }
 
   async connectedCallback () {
+    await this.#loadTrustedTypes();
     const { data, resp, req } = await this.#fetchFeed();
 
     const FILTERED = this.#filterItems(data.items);
@@ -82,14 +86,17 @@ export class MyFeedElement extends HTMLElement {
     return filtered;
   }
 
+  get #policyId () { return 'allowAnchorListPlus'; }
+
   #makeListItem (item, open) {
+    const createHTML = (s) => this.#trustedTypes.createHTML(this.#policyId , s);
     const { skip, guid, link, pubDate, title, url, time, tags, content, content_html } = item; /* eslint-disable-line camelcase */
 
     if (skip) return '<template><!-- skip --></template>';
 
     // @TODO: security! - _saferHtml()
     const CONTENT = content || content_html || null; /* eslint-disable-line camelcase */
-    const DETAILS = CONTENT ? `<details part="details" ${open ? 'open' : ''}><summary part="summary">More</summary>${CONTENT}</details>` : null;
+    const DETAILS = CONTENT ? `<details part="details" ${open ? 'open' : ''}><summary part="summary">More</summary>${createHTML(CONTENT)}</details>` : null;
     // Be liberal in what we accept - 'link' or 'url'.
     // console.debug('makeListItem:', item);
     return `<template>
@@ -119,4 +126,9 @@ export class MyFeedElement extends HTMLElement {
     const feedUrl = this.toJson ? this.#rssToJsonService + encodeURIComponent(PARSED.href) : PARSED.href;
     return new Request(feedUrl);
   }
+
+  async #loadTrustedTypes () {
+    this.#trustedTypes = new MyTrustedTypes();
+    await this.#trustedTypes.load();
+  }
 }

src/util/MyTrustedTypes.js

@@ -19,8 +19,9 @@ export class MyTrustedTypes {
     return {
       lessThan: /</g,
       allTags: /</g,
-      allowAnchorLink: /<(?!a href=|\/a>)/ig,
+      allowAnchorLink: /<(?!a href=|\/a>)/ig, // Negative lookahead assertion.
       notAnchorLink: /<(?!a href=|\/a>)/ig,
+      allowAnchorListPlus: /<(?!a href=|\/a|\/?ul|\/?li|\/?p|\/?x|\/?code>)/ig,
       javascriptColon: /javascript:/ig,
       onEvent: /on(\w+)[ ]*=/ig,
     };
@@ -49,18 +50,22 @@ export class MyTrustedTypes {
 
       this.#policies.push({
         id: 'allowAnchor',
-        policy: trustedTypes.createPolicy('myEscapePolicy', {
-        // createHTML: (string) => string.replace(/</g, "&lt;"),
-        /* createHTML: (str) => str.replace(/on(\w+)=/ig, 'on-ZZ-$1=')
-                                .replace(/<(\/?)(script|object|embed|i?frame|style)/ig, '&lt;$1$2')
-                                .replace(/javascript:/ig, 'ZZ-scrip:'), */
+        policy: trustedTypes.createPolicy('allowAnchor', {
+        // createHTML: (str) => str.replace(/<(\/?)(script|object|embed|i?frame|style)/ig, '&lt;$1$2')
 
           createHTML: (str) => str.replace(this.#RE.allowAnchorLink, this.#replace.lessThanEntity)
-          // .replace(/<([^a][^ ]|\/[^a])/ig, '&lt;$1') // /<(?!(a|b) )/ig
-          // .replace(/<\/([^a])/ig, '&lt;/$1')
             .replace(this.#RE.javascriptColon, this.#replace.cleanJavascriptColon)
             .replace(this.#RE.onEvent, this.#replace.cleanOnEvent)
         })
+      });
+
+      this.#policies.push({
+        id: 'allowAnchorListPlus',
+        policy: trustedTypes.createPolicy('allowAnchorListPlus', {
+          createHTML: (str) => str.replace(this.#RE.onEvent, this.#replace.cleanOnEvent)
+            .replace(this.#RE.javascriptColon, this.#replace.cleanJavascriptColon)
+            .replace(this.#RE.allowAnchorListPlus, this.#replace.lessThanEntity)
+        })
       }); // push.
 
       return this;