You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Replaces DOMPurify-based SVG JavaScript detection with a cheerio and regex-based approach in the injected helpers, updates dependencies accordingly, and removes the sw-build GitHub workflow.
Flow diagram for updated containsExecutableJavaScript SVG check
flowchart TD
A["containsExecutableJavaScript(svgString)"] --> B{svgString is empty?}
B -- Yes --> Z["Return false"]
B -- No --> C["Try parse svgString with cheerio.load(svgString, xmlMode true)"]
C --> D{Any script elements?}
D -- Yes --> E["Return true"]
D -- No --> F["Continue"]
C -->|Parsing throws| F
F["Define eventHandlerRegex and hrefJavaScriptRegex"] --> G{eventHandlerRegex matches svgString?}
G -- Yes --> H["Return true"]
G -- No --> I{hrefJavaScriptRegex matches svgString?}
I -- Yes --> J["Return true"]
I -- No --> K["Return false"]
Loading
File-Level Changes
Change
Details
Files
Refactor SVG executable JavaScript detection to avoid DOMPurify and instead use cheerio parsing with regex fallbacks.
Replace DOMPurify import with cheerio and update type-only imports to remain unchanged.
Implement cheerio-based XML parsing of SVG strings to detect <script> tags, wrapped in a try/catch for robustness.
Add regex-based fallbacks to detect inline event handlers and javascript: URLs in href/xlink:href attributes when parsing fails.
Ensure the helper returns true on any suspicious construct and false otherwise.
packages/injected/src/helpers.ts
Align package dependencies with new implementation and example tooling.
Swap dompurify dependency for cheerio in the injected package to match the new SVG detection implementation.
Downgrade css-loader in the vanilla JS example to a 6.x version, likely for compatibility with the rest of the toolchain.
Remove the Subwallet build GitHub Actions workflow.
Delete the sw-build.yml workflow configuration, disabling that CI job.
.github/workflows/sw-build.yml
Tips and commands
Interacting with Sourcery
Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!
Reviewer's Guide
Replaces DOMPurify-based SVG JavaScript detection with a cheerio and regex-based approach in the injected helpers, updates dependencies accordingly, and removes the sw-build GitHub workflow.
Flow diagram for updated containsExecutableJavaScript SVG check
flowchart TD A["containsExecutableJavaScript(svgString)"] --> B{svgString is empty?} B -- Yes --> Z["Return false"] B -- No --> C["Try parse svgString with cheerio.load(svgString, xmlMode true)"] C --> D{Any script elements?} D -- Yes --> E["Return true"] D -- No --> F["Continue"] C -->|Parsing throws| F F["Define eventHandlerRegex and hrefJavaScriptRegex"] --> G{eventHandlerRegex matches svgString?} G -- Yes --> H["Return true"] G -- No --> I{hrefJavaScriptRegex matches svgString?} I -- Yes --> J["Return true"] I -- No --> K["Return false"]File-Level Changes
packages/injected/src/helpers.tspackages/injected/package.jsonexamples/with-vanilla-js/package.json.github/workflows/sw-build.ymlTips and commands
Interacting with Sourcery
@sourcery-ai reviewon the pull request.issue from a review comment by replying to it. You can also reply to a
review comment with
@sourcery-ai issueto create an issue from it.@sourcery-aianywhere in the pullrequest title to generate a title at any time. You can also comment
@sourcery-ai titleon the pull request to (re-)generate the title at any time.@sourcery-ai summaryanywhere inthe pull request body to generate a PR summary at any time exactly where you
want it. You can also comment
@sourcery-ai summaryon the pull request to(re-)generate the summary at any time.
@sourcery-ai guideon the pullrequest to (re-)generate the reviewer's guide at any time.
@sourcery-ai resolveon thepull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
@sourcery-ai dismisson the pullrequest to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai reviewto trigger a new review!Customizing Your Experience
Access your dashboard to:
summary, the reviewer's guide, and others.
Getting Help
Originally posted by @sourcery-ai[bot] in #44 (comment)