Merge pull request #675 from anak-dev/anak-dev-main

fix: `allowedClasses` whitelist ignored if tag is wildcard

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Fix to allow regex in `allowedClasses` wildcard whitelist. 
+
 ## 2.13.0 (2024-03-20)
 
 - Documentation update regarding minimum supported TypeScript version.

index.js

@@ -431,12 +431,13 @@ function sanitizeHtml(html, options, _recursing) {
               const allowedWildcardClasses = allowedClassesMap['*'];
               const allowedSpecificClassesGlob = allowedClassesGlobMap[name];
               const allowedSpecificClassesRegex = allowedClassesRegexMap[name];
+              const allowedWildcardClassesRegex = allowedClassesRegexMap['*'];
               const allowedWildcardClassesGlob = allowedClassesGlobMap['*'];
               const allowedClassesGlobs = [
                 allowedSpecificClassesGlob,
                 allowedWildcardClassesGlob
               ]
-                .concat(allowedSpecificClassesRegex)
+                .concat(allowedSpecificClassesRegex, allowedWildcardClassesRegex)
                 .filter(function (t) {
                   return t;
                 });

test/test.js

@@ -510,6 +510,19 @@ describe('sanitizeHtml', function() {
       '<p class="nifty33 dippy">whee</p>'
     );
   });
+  it('should allow classes that match `allowedClasses` regex for all tags', function() {
+    assert.equal(
+      sanitizeHtml(
+        '<p class="nifty33 nifty2 dippy">whee</p>',
+        {
+          allowedClasses: {
+            '*': [ /^nifty\d{2}$/, /^d\w{4}$/ ]
+          }
+        }
+      ),
+      '<p class="nifty33 dippy">whee</p>'
+    );
+  });
   it('should allow defining schemes on a per-tag basis', function() {
     assert.equal(
       sanitizeHtml(