-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscript_sanitize.js
executable file
·141 lines (129 loc) · 5.08 KB
/
script_sanitize.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
//With help from: http://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression
/**
* The object that exposes the sanitizer
* @namespace
* @property {function} sanitize - Sanitizes html to remove unsafe content
* @property {namespace} utils - An object containing utility functions
*/
var script_sanitize = {
/**
* An object containing utility functions
* @namespace
*/
utils: {
/**
* Returns a boolean saying whether obj is defined
* @param {object} obj - the object to check if it's null
* @returns boolean
*/
isDefined: function (obj) {
return (typeof obj !== 'undefined') && obj != null
},
/**
* Defaults to defaultValue if variable is null
* @param {object} variable - The object to check
* @param {object} defaultValue - The value to return if the object is null
* @returns object
*/
defaultFor: function (variable, defaultValue){
return (this.isDefined(variable))?(variable):(defaultValue);
},
/**
* Generates a regex object to select a tag
* @param {string} tag - The name of the tag to select
* @returns RegExp
*/
generateRegexForTag: function (tag) {
var a = "<" + tag + "\\b[^<]*(?:(?!<\\/" + tag + ">)<[^<]*)*<\\/" + tag + "\\s*>";
return new RegExp(a, "gi");
},
/**
* Generates a regex object to select an end tag
* @param {string} tag - The name of the tag to select
* @returns RegExp
*/
generateRegexForEndTag: function (tag) {
var a = "<\\/" + tag + "\\s*>";
return new RegExp(a, "gi");
},
/**
* Generates a regex object to select an attribute
* @param {string} attribute - The name of the tag to select
* @returns RegExp
*/
generateRegexForAttribute: function (attribute) {
var a = attribute + "=(\"|\')[^\"\']*(\"|\')";
return new RegExp(a, "gi")
}
},
/**
* An array of the default attributes
* @name defaultAttributes
* @static
* @description An array containing the default attributes that are ignored
*/
defaultAttributes: ["onafterprint","onbeforeprint","onbeforeunload","onerror","onhashchange","onload","onoffline",
"ononline","onpagehide","onpageshow","onpopstate","onresize","onstorage","onunload","onblur","onchange",
"oncontextmenu","onfocus","oninput","oninvalid","onreset","onsearch","onselect","onsubmit","onkeydown",
"onkeyup","onkeypress","onclick","ondblclick","onmousedown","onmousemove","onmouseout","onmouseover","onmouseup",
"onmousewheel","onwheel","ondrag","ondragend","ondragenter","ondragleave","ondragover","ondragstart","ondrop",
"onscroll","oncopy","oncut","onpaste","onabort","oncanplay","oncanplaythrough","oncuechange","ondurationchange",
"onemptied","onended","onerror","onloadeddata","onloadedmetadata","onloadstart","onpause","onplay","onplaying",
"onprogress","onratechange","onseeked","onseeking","onstalled","onsuspend","ontimeupdate","onvolumechange",
"onwaiting", "onshow", "ontoggle"],
/**
* Sanitizes html to remove unsafe content
* @param {string} html - The html to be sanitized
*
* @param {object} options - An object detailing the options for sanitizing
* @param {string} [options.replacementText = ""] - The string to replace tags with
* @param {boolean} [options.loop = true] - A boolean to say whether we loop
* @param {string[]} [options.tags = ["script"]] - The tags that should be removed
* @param {string[]} [options.attributes = ["onmouseover"]] - The attributes that should be removed
* @returns string
*/
sanitize: function (html, options) {
var replacementText = "";
var loop = true;
var removeEndTagsAfter = true;
var tags = ["script"];
var attributes = this.defaultAttributes;
var utils = script_sanitize.utils;
if (utils.isDefined(options)) {
replacementText = utils.defaultFor(options.replacementText, replacementText);
loop = utils.defaultFor(options.loop, loop);
removeEndTagsAfter = utils.defaultFor(options.removeEndTagsAfter, removeEndTagsAfter);
tags = utils.defaultFor(options.tags, tags);
attributes = utils.defaultFor(options.attributes, attributes);
}
for (var i in tags) {
var tag = tags[i];
var strip_regex = utils.generateRegexForTag(tag);// /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi;
var endTagRegex = utils.generateRegexForEndTag(tag);// /<\/script\s*>/gi;
if (loop) {
while (strip_regex.test(html)) {
html = html.replace(strip_regex, replacementText);
}
}
else {
html = html.replace(strip_regex, replacementText);
}
if (removeEndTagsAfter) {
while (endTagRegex.test(html)) {
html = html.replace(endTagRegex, replacementText);
}
}
}
for (var j in attributes) {
var attribute = attributes[j];
var aRegex = utils.generateRegexForAttribute(attribute);
while (aRegex.test(html)) {
html = html.replace(aRegex, "")
}
}
return html;
}
};
if (typeof module !== undefined) {
module.exports = script_sanitize;
}