(element: any)
| 95 | */ |
| 96 | // TODO(FW-2832): type (using Element triggers other type errors as well) |
| 97 | const sanitizeElement = (element: any) => { |
| 98 | // IE uses childNodes, so ignore nodes that are not elements |
| 99 | if (element.nodeType && element.nodeType !== 1) { |
| 100 | return; |
| 101 | } |
| 102 | |
| 103 | /** |
| 104 | * If attributes is not a NamedNodeMap |
| 105 | * then we should remove the element entirely. |
| 106 | * This helps avoid DOM Clobbering attacks where |
| 107 | * attributes is overridden. |
| 108 | */ |
| 109 | if (typeof NamedNodeMap !== 'undefined' && !(element.attributes instanceof NamedNodeMap)) { |
| 110 | element.remove(); |
| 111 | return; |
| 112 | } |
| 113 | |
| 114 | for (let i = element.attributes.length - 1; i >= 0; i--) { |
| 115 | const attribute = element.attributes.item(i); |
| 116 | const attributeName = attribute.name; |
| 117 | |
| 118 | // remove non-allowed attribs |
| 119 | if (!allowedAttributes.includes(attributeName.toLowerCase())) { |
| 120 | element.removeAttribute(attributeName); |
| 121 | continue; |
| 122 | } |
| 123 | |
| 124 | // clean up any allowed attribs |
| 125 | // that attempt to do any JS funny-business |
| 126 | const attributeValue = attribute.value; |
| 127 | |
| 128 | /** |
| 129 | * We also need to check the property value |
| 130 | * as javascript: can allow special characters |
| 131 | * such as 	 and still be valid (i.e. java	script) |
| 132 | */ |
| 133 | const propertyValue = element[attributeName]; |
| 134 | |
| 135 | /* eslint-disable */ |
| 136 | if ( |
| 137 | (attributeValue != null && attributeValue.toLowerCase().includes('javascript:')) || |
| 138 | (propertyValue != null && propertyValue.toLowerCase().includes('javascript:')) |
| 139 | ) { |
| 140 | element.removeAttribute(attributeName); |
| 141 | } |
| 142 | /* eslint-enable */ |
| 143 | } |
| 144 | |
| 145 | /** |
| 146 | * Sanitize any nested children |
| 147 | */ |
| 148 | const childElements = getElementChildren(element); |
| 149 | |
| 150 | /* eslint-disable-next-line */ |
| 151 | for (let i = 0; i < childElements.length; i++) { |
| 152 | sanitizeElement(childElements[i]); |
| 153 | } |
| 154 | }; |
no test coverage detected