mirror of
https://github.com/ankitects/anki.git
synced 2025-09-18 14:02:21 -04:00
1c156905f8
The editor already strips script tags from fields, but was allowing through Javascript in things like onclick handlers. We block this now, as the editor context has access to internal APIs that we don't want to expose to untrusted third-party code.
10 lines
396 B
TypeScript
10 lines
396 B
TypeScript
// Copyright: Ankitects Pty Ltd and contributors
|
|
// License: GNU AGPL, version 3 or later; http://www.gnu.org/licenses/agpl.html
|
|
|
|
import DOMPurify from "dompurify";
|
|
|
|
export function sanitize(html: string): string {
|
|
// We need to treat the text as a document fragment, or a style tag
|
|
// at the start of input will be discarded.
|
|
return DOMPurify.sanitize(html, { FORCE_BODY: true });
|
|
}
|