jointjs
Version:
JavaScript diagramming library
21 lines (16 loc) • 1.99 kB
HTML
<pre class="docs-method-signature"><code>util.sanitizeHTML(html)</code></pre>
<p>Sanitize the provided HTML (string) to protect against XSS attacks. The algorithm has several steps:</p>
<ul>
<li>Wrap the provided HTML inside a <code><div></code> tag. This will remove tags that are invalid in that context (e.g. <code><body></code> and <code><head></code>).</li>
<li>Parse the provided HTML in a new document context (using <code>jQuery.parseHTML()</code>). This prevents inline events from firing and also prevents image GET requests from being sent.</li>
<li>Discard all <code><script></code> tags.</li>
<li>Iterate through all DOM nodes and remove all <code>on...</code> attributes (e.g. <code>onload</code>, <code>onerror</code>).</li>
<li>Iterate through all attributes of the nodes and remove all that use the <code>javascript:</code> pseudo-protocol as value.</li>
<li>Return the sanitized HTML back as a string.</li>
</ul>
<p>The six simple steps protect against the most common XSS attacks; however, we cannot guarantee bulletproof security here. If you need stronger security, you should always keep an eye on a <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet"> list XSS attacks</a> and replace the <code>joint.util.sanitizeHTML()</code> function with your own, more secure version.</p>
<p>Examples:</p>
<pre><code>joint.util.sanitizeHTML('<html><body><p>Hello</p></body></html>'); // => '<p>Hello</p>'
joint.util.sanitizeHTML('<p>Hello</p><script>alert("Hacked");</script>'); // => '<p>Hello</p>'
joint.util.sanitizeHTML('<p>Hello</p><img onload="alert(&quot;Hacked&quot;);">'); // => '<p>Hello</p><img>'
joint.util.sanitizeHTML('<p>Hello</p><img src="javascript:alert(&quot;Hacked&quot;);">'); // => '<p>Hello</p><img>'</code></pre>