Merge pull request #2806 from AdamGold/master

feat: 🎸 sanitize HTML in createElement
parallax · Jul 9, 2020 · d6271db · d6271db
2 parents f17e926 + a39396a
commit d6271db
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -32,6 +32,7 @@
     "atob": "^2.1.2",
     "btoa": "^1.2.1",
     "canvg": "1.5.3",
+    "dompurify": "^2.0.12",
     "es6-promise": "^4.2.8",
     "file-saver": "2.0.1",
     "html2canvas": "^1.0.0-rc.5",

diff --git a/src/modules/html.js b/src/modules/html.js
@@ -49,11 +49,7 @@
     var el = document.createElement(tagName);
     if (opt.className) el.className = opt.className;
     if (opt.innerHTML) {
-      el.innerHTML = opt.innerHTML;
-      var scripts = el.getElementsByTagName("script");
-      for (var i = scripts.length; i-- > 0; ) {
-        scripts[i].parentNode.removeChild(scripts[i]);
-      }
+      el.innerHTML = DOMPurify.sanitize(opt.innerHTML);
     }
     for (var key in opt.style) {
       el.style[key] = opt.style[key];

diff --git a/src/node.js b/src/node.js
@@ -2,3 +2,4 @@ global.atob = require("atob");
 global.btoa = require("btoa");
 global.canvg = require("canvg");
 global.GifReader = require("omggif").GifReader;
+global.DOMPurify = require("dompurify")