UNPKG

dompurify

Version:

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

github.com/cure53/DOMPurify

cure53/DOMPurify

110 lines (95 loc) 4.44 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
<!doctype html> <html> <head> <script src="../src/purify.js"></script> </head> <body> <!-- Our DIV to receive content --> <div id="sanitized"></div> <!-- Now let's sanitize that content --> <script> /* jshint globalstrict:true */ /* global DOMPurify */ 'use strict'; // Specify dirty HTML var dirty = '<p>HELLO<iframe/\/src=JavScript:alert&lpar;1)></ifrAMe><br>goodbye</p>'; /** * Add one hook, then remove it using removeHook() */ // Add a hook to convert all text to capitals DOMPurify.addHook('beforeSanitizeAttributes', function(node){ // Set text node content to uppercase if (node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.toUpperCase(); } }); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; // now let's remove the hook again console.log(DOMPurify.removeHook('beforeSanitizeAttributes')); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; /** * Add three hooks, then remove two using removeHooks() */ // Add a hook to convert all text to capitals DOMPurify.addHook('beforeSanitizeAttributes', function(node){ // Set text node content to uppercase if (node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.toUpperCase(); } }); // Add a hook to convert all text to <BIG> DOMPurify.addHook('beforeSanitizeAttributes', function(node){ // Set text node content to uppercase if(node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.big(); } }); // Add a hook to convert all text to <STRONG> DOMPurify.addHook('beforeSanitizeElements', function(node){ // Set text node content to uppercase if (node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.bold(); } }); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; // now let's remove the hook again console.log(DOMPurify.removeHooks('beforeSanitizeAttributes')); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; /** * Add two hooks, then remove them using removeAllHooks() * * Keep in mind, we still have one from above, the .bold() hook */ // Add a hook to convert all text to capitals DOMPurify.addHook('beforeSanitizeAttributes', function(node) { // Set text node content to uppercase if (node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.toUpperCase(); } }); // Add a hook to convert all text to <BIG> DOMPurify.addHook('beforeSanitizeAttributes', function(node) { // Set text node content to uppercase if (node.nodeName && node.nodeName === '#text') { node.textContent = node.textContent.big(); } }); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; // now let's remove the hook again console.log(DOMPurify.removeAllHooks()); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML += clean; </script> </body> </html>