As pruning means content an user wrote into the box, even if with
malicious intend, gets hidden and that can be quite confusing..
So rather get the outerHTML, transform it with ExtJS's htmlEncode and
set it again.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
alternateClassName: 'Px.Markdown', // just trying out something, do NOT copy this line
singleton: true,
alternateClassName: 'Px.Markdown', // just trying out something, do NOT copy this line
singleton: true,
- // transforms HTML to a DOM tree and recursively descends and prunes every branch with a
+ // transforms HTML to a DOM tree and recursively descends and HTML-encodes every branch with a
// "bad" node.type and drops "bad" attributes from the remaining nodes.
// "bad" means anything which can do XSS or break the layout of the outer page
sanitizeHTML: function(input) {
// "bad" node.type and drops "bad" attributes from the remaining nodes.
// "bad" means anything which can do XSS or break the layout of the outer page
sanitizeHTML: function(input) {
_sanitize = (node) => {
if (node.nodeType === 3) return;
if (node.nodeType !== 1 || /^(script|iframe|object|embed|svg)$/i.test(node.tagName)) {
_sanitize = (node) => {
if (node.nodeType === 3) return;
if (node.nodeType !== 1 || /^(script|iframe|object|embed|svg)$/i.test(node.tagName)) {
+ // could do node.remove() instead, but it's nicer UX if we keep the (encoded!) html
+ node.outerHTML = Ext.String.htmlEncode(node.outerHTML);
return;
}
for (let i=node.attributes.length; i--;) {
return;
}
for (let i=node.attributes.length; i--;) {