Use DOMPurify in escapeHTML() for a global impact

This commit is contained in:
David Larlet 2023-05-19 15:29:14 -04:00
parent fd3f854a9c
commit 3122286c8e
No known key found for this signature in database

View file

@ -44,7 +44,26 @@ L.Util.setNullableBooleanFromQueryString = (options, name) => {
} }
L.Util.escapeHTML = (s) => { L.Util.escapeHTML = (s) => {
s = s ? s.toString() : '' s = s ? s.toString() : ''
return s.replace(/</gm, '&lt;') s = DOMPurify.sanitize(s, {
USE_PROFILES: { html: true },
ALLOWED_TAGS: [
'h3',
'h4',
'h5',
'hr',
'strong',
'em',
'ul',
'li',
'a',
'div',
'iframe',
'img',
'br',
],
ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
})
return s
} }
L.Util.toHTML = (r) => { L.Util.toHTML = (r) => {
if (!r) return '' if (!r) return ''
@ -106,25 +125,7 @@ L.Util.toHTML = (r) => {
// Preserver line breaks // Preserver line breaks
if (newline) r = r.replace(new RegExp(newline + '(?=[^]+)', 'g'), '<br>' + newline) if (newline) r = r.replace(new RegExp(newline + '(?=[^]+)', 'g'), '<br>' + newline)
r = DOMPurify.sanitize(r, { r = L.Util.escapeHTML(r)
USE_PROFILES: { html: true },
ALLOWED_TAGS: [
'h3',
'h4',
'h5',
'hr',
'strong',
'em',
'ul',
'li',
'a',
'div',
'iframe',
'img',
'br',
],
ALLOWED_ATTR: ['target', 'href', 'frameborder', 'src', 'width', 'height'],
})
return r return r
} }