fix(designer-ui): Partial port of #4554 - Add raw HTML sanitization

Azure · Apr 6, 2024 · 4645ebb · 4645ebb
1 parent b97983d
commit 4645ebb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts b/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
@@ -95,7 +95,8 @@ export const encodeOrDecodeSegmentValue = (value: string, encodingMap: Record<st
 };
 
 export const getDomFromHtmlEditorString = (htmlEditorString: string, nodeMap: Map<string, ValueSegment>): HTMLElement => {
-  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(htmlEditorString, nodeMap);
+  const purifiedHtmlEditorString = htmlEditorString.replace(/on[a-z]*\s*=\s*('[^']+|"[^"]+|[^\s>]+)/gi, '');
+  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(purifiedHtmlEditorString, nodeMap);
 
   const tempElement = document.createElement('div');
   tempElement.innerHTML = encodedHtmlEditorString;