changeset 22:499f38b5eeff

remove DOMPurify
author Franklin Schmidt <>
date Mon, 08 Aug 2022 23:41:05 -0600 (2022-08-09)
parents 2edd68951454
children c2a85b2ec677
files src/changes.txt src/sceditor.js
diffstat 2 files changed, 9 insertions(+), 1368 deletions(-) [+]
line wrap: on
line diff
 changes, most recent at top
+Remove DOMPurify.  This was a huge amount of incomprehensible code that adds little value.  XSS should basically be handled on the server side, and if one is using bbcode then it isn't an issue anyway.
 Removed "this" from command functions and instead pass "editor" as first arg.  Javascript's object-oriented features are a disgusting hack and should never be used.  I will remove uses of this as I encounter them.
 Add optional "icon" to command spec.
 	var globalWin  = window;
 	var globalDoc  = document;
-		// Create new instance of DOMPurify for each editor instance so can
-		// have different allowed iframe URLs
-		// eslint-disable-next-line new-cap
-		var domPurify = purify();
-		// Allow iframes for things like YouTube, see:
-		//
-		domPurify.addHook('uponSanitizeElement', function (node, data) {
-			var allowedUrls = options.allowedIframeUrls;
-			if (data.tagName === 'iframe') {
-				var src = attr(node, 'src') || '';
-				for (var i = 0; i < allowedUrls.length; i++) {
-					var url = allowedUrls[i];
-					if (isString(url) && src.substr(0, url.length) === url) {
-						return;
-					}
-					// Handle regex
-					if (url.test && url.test(src)) {
-						return;
-					}
-				}
-				// No match so remove
-				remove(node);
-			}
-		});
-		// Convert target attribute into data-sce-target attributes so XHTML format
-		// can allow them
-		domPurify.addHook('afterSanitizeAttributes', function (node) {
-			if ('target' in node) {
-				attr(node, 'data-sce-target', attr(node, 'target'));
-			}
-			removeAttr(node, 'target');
-		});
-		/**
-		 * Sanitize HTML to avoid XSS
-		 *
-		 * @param {string} html
-		 * @return {string} html
-		 * @private
-		 */
-		function sanitize(html) {
-			return domPurify.sanitize(html, {
-				ADD_TAGS: ['iframe'],
-				ADD_ATTR: ['allowfullscreen', 'frameborder', 'target']
-			});
-		}
 		 * Creates the editor iframe and textarea
 		 * @private
