This commit is contained in:
parent
ca6ba2eb51
commit
69386eed63
6 changed files with 53 additions and 3 deletions
|
|
@ -27,7 +27,14 @@ try {
|
|||
}
|
||||
|
||||
const files = await walk(dist);
|
||||
const jsFiles = files.filter((file) => file.endsWith('.js'));
|
||||
const ALLOWED_JS_ASSET_PATTERNS = [
|
||||
/[/\\]_astro[/\\]Analytics\.astro_astro_type_script_index_0_lang\.[\w-]+\.js$/,
|
||||
];
|
||||
const jsFiles = files.filter(
|
||||
(file) =>
|
||||
file.endsWith('.js') &&
|
||||
!ALLOWED_JS_ASSET_PATTERNS.some((pattern) => pattern.test(file))
|
||||
);
|
||||
|
||||
if (jsFiles.length > 0) {
|
||||
failures.push(
|
||||
|
|
@ -36,17 +43,21 @@ if (jsFiles.length > 0) {
|
|||
}
|
||||
|
||||
// Script tags are only allowed if they declare one of these safe `type`
|
||||
// attributes (or are tagged with `data-theme-script`). All other scripts,
|
||||
// including untyped ones, which default to executable JavaScript, are flagged.
|
||||
// attributes or match one of the known executable scripts below. All other
|
||||
// scripts, including untyped ones, which default to executable JavaScript, are
|
||||
// flagged.
|
||||
const SAFE_SCRIPT_TYPES = new Set([
|
||||
'application/ld+json',
|
||||
'importmap',
|
||||
'speculationrules',
|
||||
]);
|
||||
const ANALYTICS_SCRIPT_SRC_PATTERN =
|
||||
/\bsrc=["']\/_astro\/Analytics\.astro_astro_type_script_index_0_lang\.[\w-]+\.js["']/i;
|
||||
|
||||
function isSafeScriptTag(tag) {
|
||||
if (tag.includes('data-theme-script')) return true;
|
||||
if (tag.includes('data-thumbnail-iframe-script')) return true;
|
||||
if (ANALYTICS_SCRIPT_SRC_PATTERN.test(tag)) return true;
|
||||
const typeMatch = tag.match(/\btype=["']([^"']+)["']/i);
|
||||
if (!typeMatch) return false;
|
||||
return SAFE_SCRIPT_TYPES.has(typeMatch[1].trim().toLowerCase());
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue