Sanitize the user message before send (#287)

* The message sanitizer function

* Sanitize the user message before send

---------

Co-authored-by: Anderson Dourado <[email protected]>

src/core/sanitizers.ts

@@ -81,6 +81,12 @@ export function sanitizeListener(listener: IListener) {
   };
 }
 
+export function sanitizeMessage(message: string): string {
+  const parser = new DOMParser();
+  const doc = parser.parseFromString(message, 'text/html');
+  return doc.body.textContent || '';
+}
+
 export function sanitizeRuleType(
   ruleType: IRuleType | IRuleTypeExecutor
 ): IRuleType {

src/ui/__tests__/bot.spec.ts

@@ -633,4 +633,23 @@ describe('DOM behaviors', () => {
     input.dispatchEvent(inputEvent);
     expect(input.style.height).toBe(`${scrollHeight}px`);
   });
+
+  test('should sanitize message before send', async () => {
+    const rules = loadYaml(`
+    - message: value
+      type: String
+    `);
+
+    new YveBotUI(rules, OPTS).start();
+    const { input, submit, getUserMessages } = getChatElements();
+
+    input.value = '<h1>msg';
+    submit.click();
+
+    await sleep();
+
+    const message = getUserMessages()[0];
+    expect(message.innerHTML).toEqual('msg');
+  });
+
 });

src/ui/index.ts

@@ -1,5 +1,6 @@
 import { isMobile } from 'is-mobile';
 import YveBot from '../core';
+import { sanitizeMessage } from '../core/sanitizers';
 import { Answer, ChatMessageSource, IChatOptions, IRule } from '../types';
 import { ChatUI } from './ui';
 
@@ -45,7 +46,7 @@ export default class YveBotUI extends YveBot {
     this.UI.form.addEventListener('submit', evt => {
       evt.preventDefault();
       evt.stopPropagation();
-      const msg = this.UI.input.value.trim();
+      const msg = sanitizeMessage(this.UI.input.value.trim());
 
       if (msg) {
         this.hear(msg);