| 12345678910111213141516 |
- const BLOCKED_TAG_PATTERN = /<\/?(script|style|iframe|object|embed|link|meta|base|form|input|button|textarea|select)[^>]*>/gi
- const EVENT_HANDLER_PATTERN = /\son[a-z]+\s*=\s*(['"]).*?\1/gi
- const JS_PROTOCOL_PATTERN = /\s(href|src)\s*=\s*(['"])\s*javascript:[^'"]*\2/gi
- function sanitizeHtml(input) {
- if (input === null || input === undefined) return ''
- let html = String(input)
- html = html.replace(BLOCKED_TAG_PATTERN, '')
- html = html.replace(EVENT_HANDLER_PATTERN, '')
- html = html.replace(JS_PROTOCOL_PATTERN, ' $1="#"')
- return html.trim()
- }
- module.exports = { sanitizeHtml }
|
