29 lines
1.3 KiB
TypeScript
29 lines
1.3 KiB
TypeScript
/**
|
|
* Sanitizes HTML content by removing dangerous attributes and tags.
|
|
* This is used to comply with CSP policies and prevent XSS.
|
|
*/
|
|
export function sanitizeHTML(html: string): string {
|
|
if (!html) return '';
|
|
|
|
// 1. Remove script tags completely
|
|
let sanitized = html.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '');
|
|
|
|
// 2. Remove all "on*" event handler attributes (onclick, onload, etc.)
|
|
// This handles attributes like onclick="alert(1)" or onclick='alert(1)' or onclick=alert(1)
|
|
sanitized = sanitized.replace(/\s+on\w+\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]+)/gi, '');
|
|
|
|
// 3. Remove "javascript:" pseudo-protocols in href or src
|
|
sanitized = sanitized.replace(/(href|src)\s*=\s*(?:'javascript:[^']*'|"javascript:[^"]*"|javascript:[^\s>]+)/gi, '$1="#"');
|
|
|
|
// 4. Remove <style> tags (to comply with style-src)
|
|
sanitized = sanitized.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '');
|
|
|
|
// 5. Remove meta and link tags (except for purely visual ones if needed, but safer to remove)
|
|
sanitized = sanitized.replace(/<(meta|link|iframe|object|embed|applet)[^>]*>/gi, '');
|
|
|
|
// 6. Explicitly remove <a> tags to prevent HTML injection of links (VAPT compliance)
|
|
sanitized = sanitized.replace(/<a[^>]*>([\s\S]*?)<\/a>/gi, '$1');
|
|
|
|
return sanitized;
|
|
}
|