Created
August 13, 2014 03:21
-
-
Save ginpei/0ce42cc029db5c3d2e1c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * HTML文字列中から危険なものを取り除く。 | |
| * | |
| * @example | |
| * var src = safeHtml('[<'+'script>alert(1)<'+'/script>]'); | |
| * var dest = '[]'; | |
| * console.assert(src===dest, 'script'); | |
| * | |
| * @example | |
| * var src = safeHtml('<img src="404" onerror="alert(1)">'); | |
| * var dest = '<img src="404" onerror="">'; | |
| * console.assert(src===dest, 'handler'); | |
| * | |
| * @example | |
| * var src = safeHtml('<a href="javascript:alert(1)">X</a>'); | |
| * var dest = '<a href="#">X</a>'; | |
| * console.assert(src===dest, 'bookmarklet'); | |
| */ | |
| function safeHtml(html) { | |
| var barrier = document.createElement('DIV'); | |
| barrier.innerHTML = html; | |
| var elements = barrier.querySelectorAll('*'); | |
| for (var i=0, l=elements.length; i<l; i++) { | |
| var el = elements[0]; | |
| // <script> | |
| if (el.tagName === 'SCRIPT') { | |
| el.parentNode.removeChild(el); | |
| } | |
| var attributes = el.attributes; | |
| for (var j=0, m=attributes.length; j<m; j++) { | |
| var attribute = attributes[j]; | |
| var name = attribute.name.toLowerCase(); | |
| // href="javascript:…" | |
| if (name === 'href') { | |
| var value = attribute.value; | |
| if (value.indexOf('http:') !== 0 || value.indexOf('https:') !==0) { | |
| attribute.value = '#'; | |
| } | |
| } | |
| // onerror="alert(1)" | |
| else if (name.indexOf('on') === 0) { | |
| attribute.value = ''; | |
| } | |
| } | |
| } | |
| var safeHtml = barrier.innerHTML; | |
| return safeHtml; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line 25 should be