feat: remove xss (#252)

closes #251

README.md

@@ -249,13 +249,6 @@ Type: `String`
 
 The HTML markup for extracting the content.
 
-##### escape
-
-Type: `Boolean`<br>
-Default: `true`
-
-It sanetizes the ouptut to prevent xss attacks.
-
 #### rules
 
 Type: `Array`

packages/metascraper-iframe/test/index.js

@@ -44,7 +44,7 @@ describe('metascraper-iframe', () => {
       commonProviders.forEach(url => {
         it(url, async () => {
           const metascraper = createMetascraper([createMetascraperIframe()])
-          const meta = await metascraper({ url, escape: false })
+          const meta = await metascraper({ url })
           should(meta.iframe).be.not.null()
         })
       })
@@ -54,7 +54,7 @@ describe('metascraper-iframe', () => {
       const url = 'https://view.genial.ly/5dc53cfa759d2a0f4c7db5f4'
       const rules = [createMetascraperIframe()]
       const metascraper = createMetascraper(rules)
-      const meta = await metascraper({ url, html, escape: false })
+      const meta = await metascraper({ url, html })
       should(meta.iframe).be.not.null()
     })
   })

packages/metascraper-soundcloud/__snapshots__/index.js.snap-shot

@@ -1,6 +1,6 @@
 exports['song 1'] = {
   "author": "Beauty Brain",
-  "description": "Thanks for 5.000 likes on https://www.facebook.com/BeautyBrainMusic :D <3 <3 <3",
+  "description": "Thanks for 5.000 likes on https://www.facebook.com/BeautyBrainMusic :D <3 <3 <3",
   "date": "2014-01-27T16:19:55.000Z",
   "image": "https://i1.sndcdn.com/artworks-000069142357-nwttc6-t500x500.jpg",
   "lang": "en",

packages/metascraper/package.json

@@ -61,9 +61,7 @@
     "cheerio": "~1.0.0-rc.3",
     "cheerio-advanced-selectors": "~2.0.1",
     "lodash": "~4.17.15",
-    "map-values-deep": "~1.0.2",
-    "whoops": "~4.1.0",
-    "xss": "~1.0.6"
+    "whoops": "~4.1.0"
   },
   "devDependencies": {
     "clear-module": "latest",

packages/metascraper/src/get-data.js

@@ -1,9 +1,7 @@
 'use strict'
 
-const { isString, map, fromPairs } = require('lodash')
-const mapValuesDeep = require('map-values-deep')
+const { map, fromPairs } = require('lodash')
 const { has } = require('@metascraper/helpers')
-const xss = require('xss')
 
 const truthyTest = () => true
 
@@ -24,20 +22,18 @@ const getValue = async ({ htmlDom, url, rules, meta, ...props }) => {
   return value
 }
 
-const escapeValue = (value, { escape }) => {
-  if (!has(value)) return null
-  if (!escape) return value
-  return mapValuesDeep(value, value => (isString(value) ? xss(value) : value))
-}
+const normalizeValue = value => (has(value) ? value : null)
 
-const getData = async ({ rules, htmlDom, url, escape, ...props }) => {
+const getData = async ({ rules, htmlDom, url, ...props }) => {
   const data = await Promise.all(
     map(rules, async ([propName, innerRules]) => {
-      const value = escapeValue(
-        await getValue({ htmlDom, url, rules: innerRules, ...props }),
-        { escape }
-      )
-      return [propName, value]
+      const value = await getValue({
+        htmlDom,
+        url,
+        rules: innerRules,
+        ...props
+      })
+      return [propName, normalizeValue(value)]
     })
   )
 

packages/metascraper/src/index.js

@@ -11,13 +11,7 @@ const MetascraperError = whoops('MetascraperError')
 
 module.exports = rules => {
   const loadedRules = loadRules(rules)
-  return async ({
-    url,
-    html,
-    rules: inlineRules,
-    escape = true,
-    ...props
-  } = {}) => {
+  return async ({ url, html, rules: inlineRules, ...props } = {}) => {
     if (!isUrl(url)) {
       throw new MetascraperError({
         message: 'Need to provide a valid URL.',
@@ -27,7 +21,6 @@ module.exports = rules => {
 
     return getData({
       url,
-      escape,
       htmlDom: loadHTML(html),
       rules: mergeRules(inlineRules, loadedRules),
       ...props

packages/metascraper/test/unit/interface.js

@@ -30,36 +30,6 @@ it('url is required', async () => {
   }
 })
 
-it('escape is enabled by default', async () => {
-  const html = `
-  <!doctype html>
-  <html xmlns:og="http://ogp.me/ns#" lang="en">
-
-  <head>
-      <meta charset="utf8">
-      <title>metascraper</title>
-      <meta property="og:description" content="The HR startups go to war.">
-      <meta property="og:image" content="image">
-      <meta property="og:title" content="<script src='http://127.0.0.1:8080/malware.js'></script>">
-      <meta property="og:type" content="article">
-      <meta property="og:url" content="http://127.0.0.1:8080">
-  </head>
-
-  <body>
-  </body>
-  </html>
-  `
-  const metascraper = createMetascraper([titleRules])
-  const metadata = await metascraper({
-    html,
-    url: 'http://127.0.0.1:8080'
-  })
-
-  should(metadata.title).be.equal(
-    '&lt;script src=‘http://127.0.0.1:8080/malware.js’&gt;&lt;/script&gt;'
-  )
-})
-
 it('load extra rules', async () => {
   const url = 'https://microlink.io'