Santize HTML before updating in layout example widget (#1382)

* Santize HTML before updating in layout example widget * none * none
browserengineering · Jan 5, 2025 · 7ffcd95 · 7ffcd95
1 parent e35417f
commit 7ffcd95
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/www/widgets/LICENSE b/www/widgets/LICENSE
@@ -0,0 +1,3 @@
+** purify.min.js:
+
+See license here: `https://github.com/cure53/DOMPurify/blob/main/LICENSE`
diff --git a/www/widgets/layout-block-container-example.html b/www/widgets/layout-block-container-example.html
@@ -52,4 +52,5 @@
           srcdoc=""></iframe>
   </flex-item>
 </container>
+<script type="text/javascript" src="purify.min.js"></script>
 <script src="layout-example.js"></script>
diff --git a/www/widgets/layout-example.js b/www/widgets/layout-example.js
@@ -8,10 +8,11 @@ let preamble = `
 `;
 
 function updateState() {
-  targetIframe.srcdoc = `${preamble}${htmlSource.value}`;
+  var clean = DOMPurify.sanitize(htmlSource.value);
+  targetIframe.srcdoc = `${preamble}${clean}`;
   link.href =
   	`layout-block-container-example.html?htmlSource=${
-  		  encodeURIComponent(htmlSource.value)}`;
+  		  encodeURIComponent(clean)}`;
 }
 
 onload = () => {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		** purify.min.js:

		See license here: `https://github.com/cure53/DOMPurify/blob/main/LICENSE`