79c5b8fac2
* fix: secure html module removes allowfullscreen, allow and frameborder attributes from iframes * Apply suggestions from code review fix: remove deprecated attributes for iframe in secure html module Co-authored-by: Nicolas Giard <github@ngpixel.com>
43 lines
1.2 KiB
JavaScript
43 lines
1.2 KiB
JavaScript
const { JSDOM } = require('jsdom')
|
|
const createDOMPurify = require('dompurify')
|
|
|
|
module.exports = {
|
|
async init(input, config) {
|
|
if (config.safeHTML) {
|
|
const window = new JSDOM('').window
|
|
const DOMPurify = createDOMPurify(window)
|
|
|
|
const allowedAttrs = ['v-pre', 'v-slot:tabs', 'v-slot:content', 'target']
|
|
const allowedTags = ['tabset', 'template']
|
|
|
|
if (config.allowDrawIoUnsafe) {
|
|
allowedTags.push('foreignObject')
|
|
DOMPurify.addHook('uponSanitizeElement', (elm) => {
|
|
if (elm.querySelectorAll) {
|
|
const breaks = elm.querySelectorAll('foreignObject br, foreignObject p')
|
|
if (breaks && breaks.length) {
|
|
for (let i = 0; i < breaks.length; i++) {
|
|
breaks[i].parentNode.replaceChild(
|
|
window.document.createElement('div'),
|
|
breaks[i]
|
|
)
|
|
}
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
if (config.allowIFrames) {
|
|
allowedTags.push('iframe')
|
|
allowedAttrs.push('allow')
|
|
}
|
|
|
|
input = DOMPurify.sanitize(input, {
|
|
ADD_ATTR: allowedAttrs,
|
|
ADD_TAGS: allowedTags
|
|
})
|
|
}
|
|
return input
|
|
}
|
|
}
|