less aggressive html sanitize
This commit is contained in:
@@ -12,6 +12,19 @@
|
|||||||
function escapeHtml(str) {
|
function escapeHtml(str) {
|
||||||
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
||||||
}
|
}
|
||||||
|
function sanitizeHtml(html) {
|
||||||
|
var tmp = document.createElement('div');
|
||||||
|
tmp.innerHTML = html;
|
||||||
|
tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
|
||||||
|
tmp.querySelectorAll('*').forEach(function(node) {
|
||||||
|
Array.from(node.attributes).forEach(function(attr) {
|
||||||
|
if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
|
||||||
|
node.removeAttribute(attr.name);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
return tmp.innerHTML;
|
||||||
|
}
|
||||||
function render() {
|
function render() {
|
||||||
if (raw && el && typeof marked !== 'undefined') {
|
if (raw && el && typeof marked !== 'undefined') {
|
||||||
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
||||||
@@ -26,11 +39,7 @@
|
|||||||
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
||||||
return '<code>' + escaped + '</code>';
|
return '<code>' + escaped + '</code>';
|
||||||
};
|
};
|
||||||
renderer.html = function(html) {
|
el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
|
||||||
var content = typeof html === 'object' ? (html.text || '') : html;
|
|
||||||
return escapeHtml(content);
|
|
||||||
};
|
|
||||||
el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (typeof marked !== 'undefined') {
|
if (typeof marked !== 'undefined') {
|
||||||
|
|||||||
@@ -12,6 +12,19 @@
|
|||||||
function escapeHtml(str) {
|
function escapeHtml(str) {
|
||||||
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
||||||
}
|
}
|
||||||
|
function sanitizeHtml(html) {
|
||||||
|
var tmp = document.createElement('div');
|
||||||
|
tmp.innerHTML = html;
|
||||||
|
tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
|
||||||
|
tmp.querySelectorAll('*').forEach(function(node) {
|
||||||
|
Array.from(node.attributes).forEach(function(attr) {
|
||||||
|
if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
|
||||||
|
node.removeAttribute(attr.name);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
return tmp.innerHTML;
|
||||||
|
}
|
||||||
function render() {
|
function render() {
|
||||||
if (raw && el && typeof marked !== 'undefined') {
|
if (raw && el && typeof marked !== 'undefined') {
|
||||||
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
||||||
@@ -26,11 +39,7 @@
|
|||||||
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
||||||
return '<code>' + escaped + '</code>';
|
return '<code>' + escaped + '</code>';
|
||||||
};
|
};
|
||||||
renderer.html = function(html) {
|
el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
|
||||||
var content = typeof html === 'object' ? (html.text || '') : html;
|
|
||||||
return escapeHtml(content);
|
|
||||||
};
|
|
||||||
el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (typeof marked !== 'undefined') {
|
if (typeof marked !== 'undefined') {
|
||||||
|
|||||||
@@ -12,6 +12,19 @@
|
|||||||
function escapeHtml(str) {
|
function escapeHtml(str) {
|
||||||
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
return str.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,''');
|
||||||
}
|
}
|
||||||
|
function sanitizeHtml(html) {
|
||||||
|
var tmp = document.createElement('div');
|
||||||
|
tmp.innerHTML = html;
|
||||||
|
tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
|
||||||
|
tmp.querySelectorAll('*').forEach(function(node) {
|
||||||
|
Array.from(node.attributes).forEach(function(attr) {
|
||||||
|
if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
|
||||||
|
node.removeAttribute(attr.name);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
return tmp.innerHTML;
|
||||||
|
}
|
||||||
function render() {
|
function render() {
|
||||||
if (raw && el && typeof marked !== 'undefined') {
|
if (raw && el && typeof marked !== 'undefined') {
|
||||||
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
|
||||||
@@ -26,11 +39,7 @@
|
|||||||
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
|
||||||
return '<code>' + escaped + '</code>';
|
return '<code>' + escaped + '</code>';
|
||||||
};
|
};
|
||||||
renderer.html = function(html) {
|
el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
|
||||||
var content = typeof html === 'object' ? (html.text || '') : html;
|
|
||||||
return escapeHtml(content);
|
|
||||||
};
|
|
||||||
el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (typeof marked !== 'undefined') {
|
if (typeof marked !== 'undefined') {
|
||||||
|
|||||||
Reference in New Issue
Block a user