meteor - スキーマ内のサーバー上の html をサナタイズする

Question

をインストールしてmpowaga:autoform-summernote、djedi:sanitize-html入ってくるデータをクリーンアップしようとしましたが、simpleschemaどのように機能させるかわかりません。ユーザーが「p」タグと「a」タグに加えて、太字と斜体のスタイルを追加できるようにしたいだけです。ここで何が間違っていますか？

description: {
       type: String,  
        optional: true,
        autoform: {             
            afFieldInput: {
                type: 'summernote', 
                class: 'editor',
                settings: {
                    allowedTags: ['p', 'a'],
                    toolbar: [
                        ['style', ['bold', 'italic']],
                        ['para', ['ul', 'ol']]
                      ]
                }
            }
        }
    }

Answer 1

I'm having the same issue.

To start to answer your question, I don't think you can do the sanitize inside of your SimpleSchema (although I hope I'm wrong because that would be easiest). From what I can tell, that settings object is for summer-note's options... e.g. what will be shown on the toolbar. I don't think that object is where you can use the djedi:sanitize-html functionality :

http://summernote.org/deep-dive/ https://github.com/mpowaga/meteor-autoform-summernote/issues/16

This GitHub issue seems to suggest the sanitize should go inside some sort of before hook:

https://github.com/mpowaga/meteor-autoform-summernote/issues/13

However, I thought autoform hooks were client-side and so djedi:sanitize-html won't work there. There is a client-side version (djedi:sanitize-html-client) but I'm not sure if that's unsecure and defeats the purpose of sanitizing in the first place?

Personally, I'm using autoform's that insert with a method call. I'll report back if I solve it.

Further Reading:

• https://forums.meteor.com/t/ckeditor-outputs-html-how-to-convert-it-for-saving/5981/3
• https://forums.meteor.com/t/template-helpers-and-collection/2223/3
• https://forums.meteor.com/t/meteor-strike-podcast-episode-8-djedi-sanitize-html/17921

Answer 2

summernote 設定で許可されたタグを設定すると、クライアント側でのみ機能し、安全ではなくなります。サーバーでサニタイズするには、このようなものが必要です。

description: {
       type: String,  
        optional: true,
        autoValue: function(){
          return Meteor.isServer ? sanitizeHtml( this.value ) : this.value;
        },
        autoform: {             
            afFieldInput: {
                type: 'summernote', 
                class: 'editor',
                settings: ...
            }
        }
    }