Use sanitize-html instead of string for security reason.

daohoangson · daohoangson · commit 13f36b014c9f · 2018-09-25T10:37:05.000+07:00
See jprichardson/string.js#212
diff --git a/lib/helper.js b/lib/helper.js
@@ -4,7 +4,7 @@ const helper = exports
 const debug = require('debug')('pushserver:helper')
 const he = require('he')
 const _ = require('lodash')
-const string = require('string')
+const sanitizeHtml = require('sanitize-html')
 const url = require('url')
 
 helper.prepareApnMessage = function (originalMessage) {
@@ -160,7 +160,11 @@ helper.prepareGcmSenderOptions = function (packageId, config) {
 }
 
 helper.prepareNotificationHtml = function (html) {
-  const trimmed = string(html).stripTags().trim().s
+  const stripped = sanitizeHtml(html, {
+    allowedTags: [],
+    allowedAttributes: []
+  })
+  const trimmed = stripped.trim()
   const decoded = he.decode(trimmed)
 
   return decoded
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -18,7 +18,7 @@
     "node-gcm": "^1.0.2",
     "pug": "^2.0.0-alpha6",
     "request": "^2.87.0",
-    "string": "~3.3.1",
+    "sanitize-html": "^1.19.0",
     "wns": "~0.5.3"
   },
   "devDependencies": {
