Change whitelist to allowlist (#31066)

Co-authored-by: XhmikosR <xhmikosr@gmail.com>
Co-authored-by: Mark Otto <markd.otto@gmail.com>

js/src/tooltip.js

@@ -17,7 +17,7 @@ import {
   typeCheckConfig
 } from './util/index'
 import {
-  DefaultWhitelist,
+  DefaultAllowlist,
   sanitizeHtml
 } from './util/sanitizer'
 import Data from './dom/data'
@@ -38,7 +38,7 @@ const DATA_KEY = 'bs.tooltip'
 const EVENT_KEY = `.${DATA_KEY}`
 const CLASS_PREFIX = 'bs-tooltip'
 const BSCLS_PREFIX_REGEX = new RegExp(`(^|\\s)${CLASS_PREFIX}\\S+`, 'g')
-const DISALLOWED_ATTRIBUTES = ['sanitize', 'whiteList', 'sanitizeFn']
+const DISALLOWED_ATTRIBUTES = ['sanitize', 'allowList', 'sanitizeFn']
 
 const DefaultType = {
   animation: 'boolean',
@@ -55,7 +55,7 @@ const DefaultType = {
   boundary: '(string|element)',
   sanitize: 'boolean',
   sanitizeFn: '(null|function)',
-  whiteList: 'object',
+  allowList: 'object',
   popperConfig: '(null|object)'
 }
 
@@ -84,7 +84,7 @@ const Default = {
   boundary: 'scrollParent',
   sanitize: true,
   sanitizeFn: null,
-  whiteList: DefaultWhitelist,
+  allowList: DefaultAllowlist,
   popperConfig: null
 }
 
@@ -428,7 +428,7 @@ class Tooltip {
 
     if (this.config.html) {
       if (this.config.sanitize) {
-        content = sanitizeHtml(content, this.config.whiteList, this.config.sanitizeFn)
+        content = sanitizeHtml(content, this.config.allowList, this.config.sanitizeFn)
       }
 
       element.innerHTML = content
@@ -711,7 +711,7 @@ class Tooltip {
     typeCheckConfig(NAME, config, this.constructor.DefaultType)
 
     if (config.sanitize) {
-      config.template = sanitizeHtml(config.template, config.whiteList, config.sanitizeFn)
+      config.template = sanitizeHtml(config.template, config.allowList, config.sanitizeFn)
     }
 
     return config

js/src/util/sanitizer.js

@@ -55,7 +55,7 @@ const allowedAttribute = (attr, allowedAttributeList) => {
   return false
 }
 
-export const DefaultWhitelist = {
+export const DefaultAllowlist = {
   // Global attributes allowed on any supplied element below.
   '*': ['class', 'dir', 'id', 'lang', 'role', ARIA_ATTRIBUTE_PATTERN],
   a: ['target', 'href', 'title', 'rel'],
@@ -89,7 +89,7 @@ export const DefaultWhitelist = {
   ul: []
 }
 
-export function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
+export function sanitizeHtml(unsafeHtml, allowList, sanitizeFn) {
   if (!unsafeHtml.length) {
     return unsafeHtml
   }
@@ -100,24 +100,24 @@ export function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
 
   const domParser = new window.DOMParser()
   const createdDocument = domParser.parseFromString(unsafeHtml, 'text/html')
-  const whitelistKeys = Object.keys(whiteList)
+  const allowlistKeys = Object.keys(allowList)
   const elements = [].concat(...createdDocument.body.querySelectorAll('*'))
 
   for (let i = 0, len = elements.length; i < len; i++) {
     const el = elements[i]
     const elName = el.nodeName.toLowerCase()
 
-    if (whitelistKeys.indexOf(elName) === -1) {
+    if (allowlistKeys.indexOf(elName) === -1) {
       el.parentNode.removeChild(el)
 
       continue
     }
 
     const attributeList = [].concat(...el.attributes)
-    const whitelistedAttributes = [].concat(whiteList['*'] || [], whiteList[elName] || [])
+    const allowedAttributes = [].concat(allowList['*'] || [], allowList[elName] || [])
 
     attributeList.forEach(attr => {
-      if (!allowedAttribute(attr, whitelistedAttributes)) {
+      if (!allowedAttribute(attr, allowedAttributes)) {
         el.removeAttribute(attr.nodeName)
       }
     })

js/tests/unit/util/sanitizer.spec.js

@@ -1,11 +1,11 @@
-import { DefaultWhitelist, sanitizeHtml } from '../../../src/util/sanitizer'
+import { DefaultAllowlist, sanitizeHtml } from '../../../src/util/sanitizer'
 
 describe('Sanitizer', () => {
   describe('sanitizeHtml', () => {
     it('should return the same on empty string', () => {
       const empty = ''
 
-      const result = sanitizeHtml(empty, DefaultWhitelist, null)
+      const result = sanitizeHtml(empty, DefaultAllowlist, null)
 
       expect(result).toEqual(empty)
     })
@@ -18,7 +18,7 @@ describe('Sanitizer', () => {
         '</div>'
       ].join('')
 
-      const result = sanitizeHtml(template, DefaultWhitelist, null)
+      const result = sanitizeHtml(template, DefaultAllowlist, null)
 
       expect(result.indexOf('script') === -1).toEqual(true)
     })
@@ -30,20 +30,20 @@ describe('Sanitizer', () => {
         '</div>'
       ].join('')
 
-      const result = sanitizeHtml(template, DefaultWhitelist, null)
+      const result = sanitizeHtml(template, DefaultAllowlist, null)
 
       expect(result.indexOf('aria-pressed') !== -1).toEqual(true)
       expect(result.indexOf('class="test"') !== -1).toEqual(true)
     })
 
-    it('should remove not whitelist tags', () => {
+    it('should remove tags not in allowlist', () => {
       const template = [
         '<div>',
         '  <script>alert(7)</script>',
         '</div>'
       ].join('')
 
-      const result = sanitizeHtml(template, DefaultWhitelist, null)
+      const result = sanitizeHtml(template, DefaultAllowlist, null)
 
       expect(result.indexOf('<script>') === -1).toEqual(true)
     })
@@ -61,7 +61,7 @@ describe('Sanitizer', () => {
 
       spyOn(DOMParser.prototype, 'parseFromString')
 
-      const result = sanitizeHtml(template, DefaultWhitelist, mySanitize)
+      const result = sanitizeHtml(template, DefaultAllowlist, mySanitize)
 
       expect(result).toEqual(template)
       expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled()