Merge pull request from GHSA-qxg5-2qff-p49r

fix: throw TypeError if 'html' is non-string argument
ericnorris · Jun 18, 2021 · f252a6b · f252a6b
2 parents 27a5dd9 + 2719515
commit f252a6b
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -10,7 +10,7 @@
   "main": "src/striptags.js",
   "homepage": "https://github.com/ericnorris/striptags",
   "bugs": "https://github.com/ericnorris/striptags/issues",
-  "version": "3.1.1",
+  "version": "3.2.0",
   "devDependencies": {
     "istanbul": "^0.4.5",
     "mocha": "^3.2.0"

diff --git a/src/striptags.js b/src/striptags.js
@@ -56,6 +56,10 @@
     }
 
     function striptags_internal(html, context) {
+        if (typeof html != "string") {
+            throw new TypeError("'html' parameter must be a string");
+        }
+
         let allowable_tags  = context.allowable_tags;
         let tag_replacement = context.tag_replacement;
 

diff --git a/test/striptags-test.js b/test/striptags-test.js
@@ -157,4 +157,13 @@ describe('striptags', function() {
             assert.equal(part_three, '< amet');
         });
     });
+
+    it('GHSL-2021-074', function() {
+        assert.throws(
+            function() {
+                striptags(["type-confusion"]);
+            },
+            TypeError,
+        );
+    });
 });