UNPKG

substance

Version:

Substance is a JavaScript library for web-based content editing. It provides building blocks for realizing custom text editors and web-based publishing system. It is developed to power our online editing platform [Substance](http://substance.io).

github.com/substance/substance

substance/substance

39 lines (33 loc) 1.11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import parseMarkup from './parseMarkup' import DomUtils from './domutils' import MemoryDOMElement from './MemoryDOMElement' const ELEMENT_BLACK_LIST = new Set(['script', 'object', 'embed', 'link', 'math', 'iframe', 'comment', 'base']) const ATTRIBUTE_BLACK_LIST = new Set(['form', 'formaction', 'autofocus', 'dirname']) /* TODO: measures mentioned on html5sec.org - Make sure only relative URIs, http URIs and correctly MIME-typed data URIs can be used for VIDEO poster attributes */ export default function sanitizeHTML (html, options = {}) { const doc = parseMarkup(html, { format: 'html', xmlMode: true, elementFactory: (type, data) => { return new MemoryDOMElement(type, data) } }) _noFormsWithId(doc) const sanitized = DomUtils.getOuterHTML(doc, { decodeEntities: true, disallowedTags: ELEMENT_BLACK_LIST, disallowHandlers: true, disallowedAttributes: ATTRIBUTE_BLACK_LIST, stripComments: true, stripCDATA: true }) return sanitized } function _noFormsWithId (doc) { doc.findAll('form').forEach(f => { f.removeAttribute('id') }) }