UNPKG

devextreme

Version:

HTML5 JavaScript Component Suite for Responsive Web Development

js.devexpress.com

DevExpress/DevExtreme

51 lines (50 loc) 1.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
/** * DevExtreme (esm/__internal/ui/html_editor/utils/html_sanitizer.js) * Version: 25.1.3 * Build date: Wed Jun 25 2025 * * Copyright (c) 2012 - 2025 Developer Express Inc. ALL RIGHTS RESERVED * Read about DevExtreme licensing here: https://js.devexpress.com/Licensing/ */ import $ from "../../../../core/renderer"; export const createNoScriptFrame = () => $("<iframe>").css("display", "none").attr({ srcdoc: "", id: "xss-frame", sandbox: "allow-same-origin" }); export const sanitizeHtml = (quill, value) => { const $frame = createNoScriptFrame().appendTo("body"); const frame = $frame.get(0); const frameWindow = frame.contentWindow; const frameDocument = frameWindow.document; const frameDocumentBody = frameDocument.body; const valueWithoutStyles = quill.replaceStyleAttribute(value); frameDocumentBody.innerHTML = valueWithoutStyles; const removeInlineHandlers = element => { if (element.attributes) { for (let i = 0; i < element.attributes.length; i++) { const { name: name } = element.attributes[i]; if (name.startsWith("on")) { element.removeAttribute(name) } } } if (element.childNodes) { for (let i = 0; i < element.childNodes.length; i++) { removeInlineHandlers(element.childNodes[i]) } } }; removeInlineHandlers(frameDocumentBody); frameDocumentBody.querySelectorAll("script").forEach((scriptNode => { scriptNode.remove() })); const sanitizedHtml = frameDocumentBody.innerHTML; $frame.remove(); return sanitizedHtml }; export default { createNoScriptFrame: createNoScriptFrame };