devextreme
Version:
HTML5 JavaScript Component Suite for Responsive Web Development
51 lines (50 loc) • 1.83 kB
JavaScript
/**
* DevExtreme (esm/__internal/ui/html_editor/utils/html_sanitizer.js)
* Version: 25.1.3
* Build date: Wed Jun 25 2025
*
* Copyright (c) 2012 - 2025 Developer Express Inc. ALL RIGHTS RESERVED
* Read about DevExtreme licensing here: https://js.devexpress.com/Licensing/
*/
import $ from "../../../../core/renderer";
export const createNoScriptFrame = () => $("<iframe>").css("display", "none").attr({
srcdoc: "",
id: "xss-frame",
sandbox: "allow-same-origin"
});
export const sanitizeHtml = (quill, value) => {
const $frame = createNoScriptFrame().appendTo("body");
const frame = $frame.get(0);
const frameWindow = frame.contentWindow;
const frameDocument = frameWindow.document;
const frameDocumentBody = frameDocument.body;
const valueWithoutStyles = quill.replaceStyleAttribute(value);
frameDocumentBody.innerHTML = valueWithoutStyles;
const removeInlineHandlers = element => {
if (element.attributes) {
for (let i = 0; i < element.attributes.length; i++) {
const {
name: name
} = element.attributes[i];
if (name.startsWith("on")) {
element.removeAttribute(name)
}
}
}
if (element.childNodes) {
for (let i = 0; i < element.childNodes.length; i++) {
removeInlineHandlers(element.childNodes[i])
}
}
};
removeInlineHandlers(frameDocumentBody);
frameDocumentBody.querySelectorAll("script").forEach((scriptNode => {
scriptNode.remove()
}));
const sanitizedHtml = frameDocumentBody.innerHTML;
$frame.remove();
return sanitizedHtml
};
export default {
createNoScriptFrame: createNoScriptFrame
};