From 4645ebb51cb6b5a4afbd93c383171bc9487973bf Mon Sep 17 00:00:00 2001
From: EK <1350074+ek68794998@users.noreply.github.com>
Date: Fri, 5 Apr 2024 17:17:34 -0700
Subject: [PATCH] fix(designer-ui): Partial port of #4554 - Add raw HTML
 sanitization

---
 libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts b/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
index 6d9d7b8ce01..c9b1134c952 100644
--- a/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
+++ b/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
@@ -95,7 +95,8 @@ export const encodeOrDecodeSegmentValue = (value: string, encodingMap: Record<st
 };
 
 export const getDomFromHtmlEditorString = (htmlEditorString: string, nodeMap: Map<string, ValueSegment>): HTMLElement => {
-  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(htmlEditorString, nodeMap);
+  const purifiedHtmlEditorString = htmlEditorString.replace(/on[a-z]*\s*=\s*('[^']+|"[^"]+|[^\s>]+)/gi, '');
+  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(purifiedHtmlEditorString, nodeMap);
 
   const tempElement = document.createElement('div');
   tempElement.innerHTML = encodedHtmlEditorString;