devextreme
Version:
HTML5 JavaScript Component Suite for Responsive Web Development
64 lines (62 loc) • 2.26 kB
JavaScript
/**
* DevExtreme (cjs/__internal/ui/html_editor/utils/html_sanitizer.js)
* Version: 25.1.3
* Build date: Wed Jun 25 2025
*
* Copyright (c) 2012 - 2025 Developer Express Inc. ALL RIGHTS RESERVED
* Read about DevExtreme licensing here: https://js.devexpress.com/Licensing/
*/
;
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.sanitizeHtml = exports.default = exports.createNoScriptFrame = void 0;
var _renderer = _interopRequireDefault(require("../../../../core/renderer"));
function _interopRequireDefault(e) {
return e && e.__esModule ? e : {
default: e
}
}
const createNoScriptFrame = () => (0, _renderer.default)("<iframe>").css("display", "none").attr({
srcdoc: "",
id: "xss-frame",
sandbox: "allow-same-origin"
});
exports.createNoScriptFrame = createNoScriptFrame;
const sanitizeHtml = (quill, value) => {
const $frame = createNoScriptFrame().appendTo("body");
const frame = $frame.get(0);
const frameWindow = frame.contentWindow;
const frameDocument = frameWindow.document;
const frameDocumentBody = frameDocument.body;
const valueWithoutStyles = quill.replaceStyleAttribute(value);
frameDocumentBody.innerHTML = valueWithoutStyles;
const removeInlineHandlers = element => {
if (element.attributes) {
for (let i = 0; i < element.attributes.length; i++) {
const {
name: name
} = element.attributes[i];
if (name.startsWith("on")) {
element.removeAttribute(name)
}
}
}
if (element.childNodes) {
for (let i = 0; i < element.childNodes.length; i++) {
removeInlineHandlers(element.childNodes[i])
}
}
};
removeInlineHandlers(frameDocumentBody);
frameDocumentBody.querySelectorAll("script").forEach((scriptNode => {
scriptNode.remove()
}));
const sanitizedHtml = frameDocumentBody.innerHTML;
$frame.remove();
return sanitizedHtml
};
exports.sanitizeHtml = sanitizeHtml;
var _default = exports.default = {
createNoScriptFrame: createNoScriptFrame
};