mirror of
https://github.com/dkmstr/openuds-gui.git
synced 2024-10-26 08:55:23 +03:00
Fixing up javascript cleanup on safeHtml
This commit is contained in:
parent
e030343881
commit
9cccd96725
@ -9,10 +9,16 @@ export class SafeHtmlPipe implements PipeTransform {
|
||||
|
||||
transform(value: any, args?: any): any {
|
||||
// Allow html, disallow scripts, onclick, etc.
|
||||
// if appears "script" tag, remove it and all following characters (to avoid XSS)
|
||||
value = value.replace(/<\s*script\s*/gi, '');
|
||||
// Remove if exists any javascript event
|
||||
// eslint-disable-next-line max-len
|
||||
value = value.replace(/onclick|onmouseover|onmouseout|onmousemove|onmouseenter|onmouseleave|onmouseup|onmousedown|onkeyup|onkeydown|onkeypress|onkeydown|onkeypress|onkeyup|onchange|onfocus|onblur|onload|onunload|onabort|onerror|onresize|onscroll/gi, '');
|
||||
// Remove all events: 'onclick', 'onmouseover', 'onmouseout',
|
||||
// 'onmousemove', 'onmouseenter', 'onmouseleave', 'onmouseup',
|
||||
// 'onmousedown', 'onkeyup', 'onkeydown', 'onkeypress', 'onkeydown',
|
||||
// 'onkeypress', 'onkeyup', 'onchange', 'onfocus', 'onblur', 'onload', 'onunload', 'onabort', 'onerror', 'onresize', 'onscroll'
|
||||
value = value.replace(/on\w+\s*=\s*['"]?[^'"]*['"]?/gi, '');
|
||||
|
||||
// Remove if exists any javascript: reference
|
||||
value = value.replace(/javascript\s*\:/gi, '');
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user