Merge pull request #1674 from SUI-Components/feat-sanitize-html

feat(packages/sui-js): exclude script tags in html sanitization
SUI-Components · Dec 4, 2023 · 5692699 · 5692699
2 parents 8cf4aea + b2fd013
commit 5692699
Showing 1 changed file with 43 additions and 1 deletion.
diff --git a/packages/sui-js/src/react/index.js b/packages/sui-js/src/react/index.js
@@ -1,4 +1,46 @@
-export {default as htmlStringToReactElement} from 'htmr'
+import htmr from 'htmr'
+
+// This is a list of all the elements that should not be allowed to be rendered as they pose a security risk.
+// See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element
+// If you want to allow one of these elements, you can add it to the `transform` object in the `options`.
+export const DANGEROUS_TRANSFORMS = {
+  area: () => null,
+  audio: () => null,
+  base: () => null,
+  canvas: () => null,
+  embed: () => null,
+  form: () => null,
+  frame: () => null,
+  frameset: () => null,
+  head: () => null,
+  html: () => null,
+  iframe: () => null,
+  img: () => null,
+  link: () => null,
+  map: () => null,
+  meta: () => null,
+  noscript: () => null,
+  object: () => null,
+  picture: () => null,
+  portal: () => null,
+  script: () => null,
+  slot: () => null,
+  source: () => null,
+  style: () => null,
+  template: () => null,
+  title: () => null,
+  track: () => null,
+  video: () => null
+}
+
+export const htmlStringToReactElement = (string, options) =>
+  htmr(string, {
+    ...options,
+    transform: {
+      ...DANGEROUS_TRANSFORMS,
+      ...options?.transform
+    }
+  })
 
 const isReactRefObj = target => {
   if (target && typeof target === 'object') {