introduced some safety checks

This commit is contained in:
Wyatt Johnson
2018-02-23 14:02:44 -07:00
parent 735ecbcef3
commit 22c876fa02
4 changed files with 12 additions and 13 deletions
@@ -11,6 +11,7 @@ const config = {
},
},
// TODO: move to admin eventually
// Super strict rules to make sure users only submit the tags they are allowed
dompurify: { ALLOWED_TAGS: ['b', 'i', 'blockquote'] },
+5 -10
View File
@@ -4,11 +4,6 @@ const linkify = require('linkifyjs/html');
const config = require('./config');
const inputCleanup = ({ richTextBody }) => {
// richTextBody needs to be present in the request
if (!richTextBody) {
throw new Error('`richTextBody` field not present in the request');
}
// Let's sanitize the body
let cleanInput = DOMPurify.sanitize(richTextBody);
@@ -23,17 +18,17 @@ const inputCleanup = ({ richTextBody }) => {
module.exports = {
RootMutation: {
createComment: {
async pre(_, { input }, _context, _info) {
async pre(_, { input }) {
// Adding the clean body to the comment.metadata field
input.metadata = merge(get(input, 'metadata'), {
input.metadata = merge(get(input, 'metadata', {}), {
richTextBody: inputCleanup(input),
});
},
},
editComment: {
async pre(_, { edit }, _context, _info) {
// Adding the clean body to the coment.metadata field
edit.metadata = merge(get(edit, 'metadata'), {
async pre(_, { edit }) {
// Adding the clean body to the comment.metadata field
edit.metadata = merge(get(edit, 'metadata', {}), {
richTextBody: inputCleanup(edit),
});
},
@@ -1,5 +1,8 @@
const { get } = require('lodash');
module.exports = {
Comment: {
richTextBody: comment => comment.metadata.richTextBody,
// Get the richTextBody, or send null.
richTextBody: comment => get(comment, 'metadata.richTextBody', null),
},
};
@@ -1,9 +1,9 @@
input CreateCommentInput {
richTextBody: String
richTextBody: String!
}
input EditCommentInput {
richTextBody: String
richTextBody: String!
}
type Comment {