shaba/openuds-gui
1
0
Fork 0
mirror of https://github.com/dkmstr/openuds-gui.git synced 2024-10-26 08:55:23 +03:00
Code Releases Activity

Fixing up javascript cleanup on safeHtml

Browse Source
This commit is contained in:
Adolfo Gómez García 2024-08-17 19:35:45 +02:00
parent e030343881
commit 9cccd96725
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/app/helpers/safe-html.pipe.ts
View File

@ -9,10 +9,16 @@ export class SafeHtmlPipe implements PipeTransform {
transform(value: any, args?: any): any {
// Allow html, disallow scripts, onclick, etc.
// if appears "script" tag, remove it and all following characters (to avoid XSS)
value = value.replace(/<\s*script\s*/gi, '');
// Remove if exists any javascript event
// eslint-disable-next-line max-len
value = value.replace(/onclick|onmouseover|onmouseout|onmousemove|onmouseenter|onmouseleave|onmouseup|onmousedown|onkeyup|onkeydown|onkeypress|onkeydown|onkeypress|onkeyup|onchange|onfocus|onblur|onload|onunload|onabort|onerror|onresize|onscroll/gi, '');
// Remove all events: 'onclick', 'onmouseover', 'onmouseout',
// 'onmousemove', 'onmouseenter', 'onmouseleave', 'onmouseup',
// 'onmousedown', 'onkeyup', 'onkeydown', 'onkeypress', 'onkeydown',
// 'onkeypress', 'onkeyup', 'onchange', 'onfocus', 'onblur', 'onload', 'onunload', 'onabort', 'onerror', 'onresize', 'onscroll'
value = value.replace(/on\w+\s*=\s*['"]?[^'"]*['"]?/gi, '');
// Remove if exists any javascript: reference
value = value.replace(/javascript\s*\:/gi, '');