app/node_modules/mathjax-full/ts/ui/safe/safe.ts

/*************************************************************
 *
 *  Copyright (c) 2020-2022 The MathJax Consortium
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

/**
 * @fileoverview  Support for the safe extension
 *
 * @author dpvc@mathjax.org (Davide Cervone)
 */

import {Property} from '../../core/Tree/Node.js';
import {MmlNode} from '../../core/MmlTree/MmlNode.js';
import {MathItem} from '../../core/MathItem.js';
import {MathDocument} from '../../core/MathDocument.js';
import {OptionList, expandable} from '../../util/Options.js';
import {DOMAdaptor} from '../../core/DOMAdaptor.js';
import {SafeMethods} from './SafeMethods.js';


/**
 * Function type for filtering attributes
 *
 * @template N  The HTMLElement node class
 * @template T  The Text node class
 * @template D  The Document class
 */
export type FilterFunction<N, T, D> = (safe: Safe<N, T, D>, value: Property, ...args: any[]) => Property;

/**
 * The Safe object for sanitizing the internal MathML representation of an expression
 *
 * @template N  The HTMLElement node class
 * @template T  The Text node class
 * @template D  The Document class
 */
export class Safe<N, T, D> {

  /**
   * The options controlling the handling of the safe extension
   */
  public static OPTIONS: OptionList = {
    allow: {
      //
      //  Values can be "all", "safe", or "none"
      //
      URLs:    'safe',   // safe are in safeProtocols below
      classes: 'safe',   // safe start with mjx- (can be set by pattern below)
      cssIDs:  'safe',   // safe start with mjx- (can be set by pattern below)
      styles:  'safe'    // safe are in safeStyles below
    },
    //
    // Largest padding/border/margin, etc. in em's
    //
    lengthMax: 3,
    //
    // Valid range for scriptsizemultiplier
    //
    scriptsizemultiplierRange: [.6, 1],
    //
    // Valid range for scriptlevel
    //
    scriptlevelRange: [-2, 2],
    //
    // Pattern for allowed class names
    //
    classPattern: /^mjx-[-a-zA-Z0-9_.]+$/,
    //
    // Pattern for allowed ids
    //
    idPattern: /^mjx-[-a-zA-Z0-9_.]+$/,
    //
    // Pattern for data attributes
    //
    dataPattern: /^data-mjx-/,
    //
    //  Which URL protocols are allowed
    //
    safeProtocols: expandable({
      http: true,
      https: true,
      file: true,
      javascript: false,
      data: false
    }),
    //
    //  Which styles are allowed
    //
    safeStyles: expandable({
      color: true,
      backgroundColor: true,
      border: true,
      cursor: true,
      margin: true,
      padding: true,
      textShadow: true,
      fontFamily: true,
      fontSize: true,
      fontStyle: true,
      fontWeight: true,
      opacity: true,
      outline: true
    }),
    //
    //  CSS styles that have Top/Right/Bottom/Left versions
    //
    styleParts: expandable({
      border: true,
      padding: true,
      margin: true,
      outline: true
    }),
    //
    //  CSS styles that are lengths needing max/min testing
    //    A string value means test that style value;
    //    An array gives [min,max] in em's
    //    Otherwise use [-lengthMax,lengthMax] from above
    //
    styleLengths: expandable({
      borderTop: 'borderTopWidth',
      borderRight: 'borderRightWidth',
      borderBottom: 'borderBottomWidth',
      borderLeft: 'borderLeftWidth',
      paddingTop: true,
      paddingRight: true,
      paddingBottom: true,
      paddingLeft: true,
      marginTop: true,
      marginRight: true,
      marginBottom: true,
      marginLeft: true,
      outlineTop: true,
      outlineRight: true,
      outlineBottom: true,
      outlineLeft: true,
      fontSize: [.707, 1.44]
    })
  };

  /**
   * The attribute-to-filter-method mapping
   */
  public filterAttributes: Map<string, string> = new Map([
    //
    //  Methods called for MathML attribute processing
    //
    ['href', 'filterURL'],
    ['src',  'filterURL'],
    ['altimg', 'filterURL'],
    ['class', 'filterClassList'],
    ['style', 'filterStyles'],
    ['id', 'filterID'],
    ['fontsize', 'filterFontSize'],
    ['mathsize', 'filterFontSize'],
    ['scriptminsize', 'filterFontSize'],
    ['scriptsizemultiplier', 'filterSizeMultiplier'],
    ['scriptlevel', 'filterScriptLevel'],
    ['data-', 'filterData']
  ]);

  /**
   * The safe options from the document option list
   */
  public options: OptionList;

  /**
   * Shorthand for options.allow
   */
  public allow: OptionList;

  /**
   * The DOM adaptor from the document
   */
  public adaptor: DOMAdaptor<N, T, D>;

  /**
   * The methods for filtering the MathML attributes
   */
  public filterMethods: {[name: string]: FilterFunction<N, T, D>} = {
    ...SafeMethods
  };

  /**
   * @param {MathDocument<N,T,D>} document  The MathDocument we are sanitizing
   * @param {OptionList} options            The safeOptions from the document
   */
  constructor(document: MathDocument<N, T, D>, options: OptionList) {
    this.adaptor = document.adaptor;
    this.options = options;
    this.allow = this.options.allow;
  }

  /**
   * Sanitize a MathItem's root MathML tree
   *
   * @param {MathItem<N,T,D>} math           The MathItem to sanitize
   * @param {MathDocument<N,T,D>} document   The MathDocument in which it lives
   */
  public sanitize(math: MathItem<N, T, D>, document: MathDocument<N, T, D>) {
    try {
      math.root.walkTree(this.sanitizeNode.bind(this));
    } catch (err) {
      document.options.compileError(document, math, err);
    }
  }

  /**
   * Sanitize a node's attributes
   *
   * @param {MmlNode} node      The node to sanitize
   */
  protected sanitizeNode(node: MmlNode) {
    const attributes = node.attributes.getAllAttributes();
    for (const id of Object.keys(attributes)) {
      const method = this.filterAttributes.get(id);
      if (method) {
        const value = this.filterMethods[method](this, attributes[id]);
        if (value) {
          if (value !== (typeof value === 'number' ? parseFloat(attributes[id] as string) : attributes[id])) {
            attributes[id] = value;
          }
        } else {
          delete attributes[id];
        }
      }
    }
  }

  /**
   * Sanitize a MathML input attribute
   *
   * @param {string} id      The name of the attribute
   * @param {string} value   The value of the attribute
   * @return {string|null}   The sanitized value
   */
  public mmlAttribute(id: string, value: string): string | null {
    if (id === 'class') return null;
    const method = this.filterAttributes.get(id);
    const filter = (method || (id.substr(0, 5) === 'data-' ? this.filterAttributes.get('data-') : null));
    if (!filter) {
      return value;
    }
    const result = this.filterMethods[filter](this, value, id);
    return (typeof result === 'number' || typeof result === 'boolean' ? String(result) : result);
  }

  /**
   * Sanitize a list of class names
   *
   * @param {string[]} list   The list of class names
   * @return {string[]}       The sanitized list
   */
  public mmlClassList(list: string[]): string[] {
    return list.map((name) => this.filterMethods.filterClass(this, name) as string)
               .filter((value) => value !== null);
  }

}