mirror of
https://code.equilibrium.co.ao/ITO/doneit-web.git
synced 2026-04-19 04:57:52 +00:00
1 line
13 KiB
JSON
1 line
13 KiB
JSON
|
{"ast":null,"code":"/**\n * Does a simple sanitization of all elements\n * in an untrusted string\n */\nconst sanitizeDOMString = untrustedString => {\n try {\n if (untrustedString instanceof IonicSafeString) {\n return untrustedString.value;\n }\n if (!isSanitizerEnabled() || typeof untrustedString !== 'string' || untrustedString === '') {\n return untrustedString;\n }\n /**\n * Create a document fragment\n * separate from the main DOM,\n * create a div to do our work in\n */\n const documentFragment = document.createDocumentFragment();\n const workingDiv = document.createElement('div');\n documentFragment.appendChild(workingDiv);\n workingDiv.innerHTML = untrustedString;\n /**\n * Remove any elements\n * that are blocked\n */\n blockedTags.forEach(blockedTag => {\n const getElementsToRemove = documentFragment.querySelectorAll(blockedTag);\n for (let elementIndex = getElementsToRemove.length - 1; elementIndex >= 0; elementIndex--) {\n const element = getElementsToRemove[elementIndex];\n if (element.parentNode) {\n element.parentNode.removeChild(element);\n } else {\n documentFragment.removeChild(element);\n }\n /**\n * We still need to sanitize\n * the children of this element\n * as they are left behind\n */\n const childElements = getElementChildren(element);\n /* tslint:disable-next-line */\n for (let childIndex = 0; childIndex < childElements.length; childIndex++) {\n sanitizeElement(childElements[childIndex]);\n }\n }\n });\n /**\n * Go through remaining elements and remove\n * non-allowed attribs\n */\n // IE does not support .children on document fragments, only .childNodes\n const dfChildren = getElementChildren(documentFragment);\n /* tslint:disable-next-line */\n for (let childIndex = 0; childIndex < dfChildren.length; childIndex++) {\n sanitizeElement(dfChildren[childIndex]);\n }\n // Append document fragment to div\n const fragmentDiv = document.createElement('div');\n fragmentDiv.appendChild(documentFragment);\n // First child is always the div we did our work in\n const getInnerDiv = fragmentDiv.querySelector('div');\n return getInnerDiv !== null ? getInnerDiv.innerHTML : fragmentDiv.innerHTML;\n } catch (err) {\n console.error(err);\n return '';\n }\n};\n/**\n * Clean up current element based on allowed attributes\n * and then recursively dig down into any child elements to\n * clean those up as well\n */\nconst sanitizeElement = element => {\n // IE uses childNodes, so ignore nodes that are not elements\n if (element.nodeType && element.nodeType !== 1) {\n return;\n }\n for (let i = element.attributes.length - 1; i >= 0; i--) {\n const attribute = element.attributes.item(i);\n const attributeName = attribute.name;\n // remove non-allowed attribs\n if (!allowedAttributes.includes(attributeName.toLowerCase())) {\n element.removeAttribute(attributeName);\n continue;\n }\n // clean up any allowed attribs\n // that attempt to do any JS funny-business\n const attributeValue = attribute.value;\n /* tslint:disable-next-line */\n if (attributeValue != null && attributeValue.toLowerCase().includes('javascript:')) {\n element.removeAttribute(attributeName);\n }\n }\n /**\n * Sanitize any nested children\n */\n const childElements = getElementChildren(element);\n /* tslint:disable-next-line */\n for (let i = 0; i < childElements.length; i++) {\n sanitizeElement(childElements[i]);\n }\n};\n/**\n * IE doesn't always support .children\n * so we revert to .childNodes instead\n */\nconst getElementChildren = el => {\n return el.children != null ? el.children : el.childNodes;\n};\nconst isSanitizerEnabled = () => {\n const win = window;\n const config = win && win.Ionic && win.Ionic.config;\n if (config) {\n if (config.get) {\n return config.get('sanitizerEnabled', true);\n
|