Conversation
🐳 (Setup) Rework of the docker environment
style(npm install): 🔊 Add loglevel to track npm install process
✨ Add JWT Auth + Add end to end tests + Add swagger doc
refactor(Prisma): ♻️ Fix Translation relations + Accept data loss during database prototyping
* Update README.md Added section for manual setup * Update README.md * Update README.md * fix: some things in the readme * fix: title levels * fix: added back the documentation url
* * Added routes GET /profile and POST /profile to get and change your personal informations * Renamed file .env.example to .env.dist * Added 2 new environment variables : JWT_SECRET and JWT_EXPIRES_IN * A UserInfos field is now created at the creation of a User. That means that you now have to specify the sex and the birthday of the User you are creating in the route * The field UserInfos.avatar (in the database) was required. It now is still required, but has a default value (which will need to be changed) * * Added tests for profile * Fixed some minor bugs * * Fixed problems with multiple .env files. Now the main .env file is called .env.dev * changed a lot of things, added tests, added users routes * deps: updated dependencies * deps: set typescript back to 4.9
* feat: added a route to check if the token is valid * feat : added new route GET /auth/signin * fix: tests * fix: lint --------- Co-authored-by: AlbanSdl <alban.delavoreille@free.fr>
* ✨ Add seeding for Users. * Ajout des modifications proposées par Thomas. * Fix typo * Functional seeding for UE, UTTBranches, UTTFilieres and Translation. * Apply changes suggested by Thomas. * Rename models to factories because it makes more sense. * Add seed to Faker * fix: pnpm-lock was not meant to be removed * fix: fixed a bug in ue seeding and added back database dropping on reset --------- Co-authored-by: BERGERAT Hugo <hugo.bergerat@loria.fr> Co-authored-by: Teddy Roncin <teddy.roncin@proton.me>
* docs: added .readthedocs.yaml file * docs: added requirements.txt * Create docs/conf.py * Create docs/index.md
* new features * fix: revert absolute paths * fix previous tests * fix tests for the first route (1/12) * add more tests * tests: add tests for criteria * add interfaces, typings and selectors for ue types * test: one more test * test: more test * test: forgot one test * tests: add test for comment posting * test: add more tests * fix: add last tests * removed all before alls * tests: add tests to check for uuid format * fix merge * test: fix test coverage * add typing for @getuser decorator * add missing test * add common typed create ue function for tests * test: add shortcuts for Spec#expectJsonLike * experiment(test+errors): add custom errors on http 400 and 401 * add custom assertions to pactum. At this point, custom assertions only concern AppExceptions and UE-relative objects * fix: add more details in custom http 400 errors * test: end tests * docs is still missing * fix: add incode docs and comments * fix(ue): use ue.code instead of ue.inscriptionCode * fix: renames, update upvote routes * fix: replace UE by ue in database schema
…10) * feat: added tables to support incredible timetables in schema.prisma * feat: added a timetable service * added prettier in .eslintrc * updated .prettierrc * updated dependencies * removed startHour and endHour, replacing them by occurenceDuration * updated typing for database models * fix: timetable fetching should now work (not tested) * refactor: refactored TimetableEntry structure * overrides are now in a separate table * we now use less times, and more metrics based on counting occurrences, which makes for easier maths and database consistency * starting adding support for unit testing * started testing the TimetableService class * fix: somes bugs + more tests * fix: lint * fix: data cleaning was shlag * fix: now pnpm test does unit and e2e tests + lint + unitSuite util function * docs: documented TimetableService * and fixed some bugs, oupsy * updated scripts in package.json and added scripts test:unit and test:e2e * lint * feat: route GET /timetable/current/daily/:day/:month/:year * removed dependency supertest * timetable occurrences are now sorted * feat: added utility function sortArray * fix: changed parameter name day to date in route GET timetable/current/daily/:day/:month/:year * new features * fix: revert absolute paths * fix previous tests * fix tests for the first route (1/12) * add more tests * tests: add tests for criteria * add interfaces, typings and selectors for ue types * test: one more test * test: more test * test: forgot one test * tests: add test for comment posting * test: add more tests * fix: add last tests * removed all before alls * tests: add tests to check for uuid format * fix merge * feat: added route GET /timetable/current/groups * added field createdAt in schema.prisma * added utility test function createTimetableGroup * utility test function createUser now automatically fakes all data * feat: added route GET /timetable/:entryId * feat: created function create * that's a draft atm * test: fix test coverage * add typing for @getuser decorator * add missing test * add common typed create ue function for tests * test: add shortcuts for Spec#expectJsonLike * refactor: each entry (or override) can now be associated with multiple groups * feat: added route POST /timetable/current * feat: added route PATCH /timetable/current/:entryId * fix: can no longer override an entry for groups that were not in the original entry * experiment(test+errors): add custom errors on http 400 and 401 * add custom assertions to pactum. At this point, custom assertions only concern AppExceptions and UE-relative objects * fix: add more details in custom http 400 errors * test: end tests * docs is still missing * fix: tests * feat: added route DELETE /timetable/current/:entryId * refactor: some old tests that did not use current tools * dependencies: upgrade + very small updates on old tests * docs: added documentation * fix: lint * fix: lot of small fixes * removed environment variables POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, and added FAKER_SEED for test environment * added file .env.test.dist for test environment * updated commands in package.json * changed User.RGPDId and User.RGPD to User.rgpdId and User.rgpd in schema.prisma * now throwing AppException s instead of ForbiddenException s, NotFoundException s, ... * removed useless @UseGuards(JwtGuard) * removed default collect coverage when testing * changed ES version * feat: added a way to generate functions to create fake entities way more easily * fix: review * fix: added flags --runInBand in testing commands --------- Co-authored-by: AlbanSdl <alban.delavoreille@free.fr>
* missing : tables, nested list styles, checklists
* faker v10 is not compatible with jest : https://v10.fakerjs.dev/guide/upgrading.html#incompatibility-with-jest
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+129
to
+131
| return html | ||
| .replaceAll('class=""', '') | ||
| .replaceAll(/(?<=<[^>]+)(?<!\w|")\s+(?=[^>]*>)|(?<=<[^>]*(?:\w|"))\s+(?=>)/g, ''); |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this problem, we should ensure that all <script> tags, as well as other potentially dangerous HTML elements (e.g., <iframe>, <object>, <embed>, and attributes like onerror, onclick), are removed from the generated HTML string before returning it. The recommended standard is to use a well-known, vetted HTML sanitization library such as sanitize-html (npm package), which reliably strips dangerous content and attributes while retaining safe markup.
- Update the file
src/lexical/lexical.module.ts. - Import
sanitize-htmlat the top. - In
generateHTML, run the output HTML (html) throughsanitizeHtmlbefore further string replacements. - No changes to function arguments or existing logic, only add sanitization immediately after DOM generation and before existing post-processing.
- You need to add an import of
sanitize-html.
Suggested changeset
2
src/lexical/lexical.module.ts
| @@ -1,4 +1,5 @@ | ||
| import { Module } from '@nestjs/common'; | ||
| import sanitizeHtml from 'sanitize-html'; | ||
| import { TextNode, ParagraphNode } from 'lexical'; | ||
| import { createHeadlessEditor } from '@lexical/headless'; | ||
| import { $generateHtmlFromNodes } from '@lexical/html'; | ||
| @@ -126,6 +127,11 @@ | ||
| editor.setEditorState(editor.parseEditorState(parsed)); | ||
| editor.read(() => (html = $generateHtmlFromNodes(editor))); | ||
| }); | ||
| // sanitize the HTML against script injection and unsafe markup | ||
| html = sanitizeHtml(html, { | ||
| allowedTags: sanitizeHtml.defaults.allowedTags.filter(tag => tag !== 'script' && tag !== 'iframe' && tag !== 'object' && tag !== 'embed'), | ||
| allowedAttributes: false, // remove all attributes except safe defaults | ||
| }); | ||
| return html | ||
| .replaceAll('class=""', '') | ||
| .replaceAll(/(?<=<[^>]+)(?<!\w|")\s+(?=[^>]*>)|(?<=<[^>]*(?:\w|"))\s+(?=>)/g, ''); |
package.json
Outside changed files
| @@ -71,7 +71,8 @@ | ||
| "prisma": "^7.1.0", | ||
| "reflect-metadata": "^0.2.2", | ||
| "rxjs": "^7.8.2", | ||
| "sharp": "^0.34.5" | ||
| "sharp": "^0.34.5", | ||
| "sanitize-html": "^2.17.0" | ||
| }, | ||
| "devDependencies": { | ||
| "@faker-js/faker": "^9.9.0", |
This fix introduces these dependencies
| Package | Version | Security advisories |
| sanitize-html (npm) | 2.17.0 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## dev #99 +/- ##
==========================================
- Coverage 83.19% 79.29% -3.91%
==========================================
Files 140 119 -21
Lines 2398 2347 -51
Branches 470 387 -83
==========================================
- Hits 1995 1861 -134
+ Misses 398 372 -26
- Partials 5 114 +109 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
TeddyRoncin
added a commit
that referenced
this pull request
Mar 6, 2026
Original PR #99 Mise à jour des dépendances de l'api (basé sur `feat/lexical-generator`) Faker v10 n'est pas compatible avec jest, il existe un [workaround](https://v10.fakerjs.dev/guide/upgrading.html#incompatibility-with-jest) qui consiste à utiliser babel... Mais c'est un peu lourd pour les test, non ? Si on décide d'utiliser babel parce que jest ne supporte les packages pure-esm, on pourra réintroduire les tests unitaires de lexical (cf. #97) --------- Co-authored-by: AlbanSdl <alban.delavoreille@free.fr>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mise à jour des dépendances de l'api (basé sur
feat/lexical-generator)Faker v10 n'est pas compatible avec jest, il existe un workaround qui consiste à utiliser babel... Mais c'est un peu lourd pour les test, non ? Si on décide d'utiliser babel parce que jest ne supporte les packages pure-esm, on pourra réintroduire les tests unitaires de lexical (cf. #97)