UNPKG

@ionic/core/dist/cjs/index-e1bb33c3.js

Version:

4.46 kBJavaScriptView Raw

1'use strict';
2
3/**
* Does a simple sanitization of all elements
* in an untrusted string
*/
7const sanitizeDOMString = (untrustedString) => {
try {
  if (untrustedString instanceof IonicSafeString) {
    return untrustedString.value;
  }
  if (!isSanitizerEnabled() || typeof untrustedString !== 'string' || untrustedString === '') {
    return untrustedString;
  }
  /**
   * Create a document fragment
   * separate from the main DOM,
   * create a div to do our work in
   */
  const documentFragment = document.createDocumentFragment();
  const workingDiv = document.createElement('div');
  documentFragment.appendChild(workingDiv);
  workingDiv.innerHTML = untrustedString;
  /**
   * Remove any elements
   * that are blocked
   */
  blockedTags.forEach(blockedTag => {
    const getElementsToRemove = documentFragment.querySelectorAll(blockedTag);
    for (let elementIndex = getElementsToRemove.length - 1; elementIndex >= 0; elementIndex--) {
      const element = getElementsToRemove[elementIndex];
      if (element.parentNode) {
        element.parentNode.removeChild(element);
      }
      else {
        documentFragment.removeChild(element);
      }
      /**
       * We still need to sanitize
       * the children of this element
       * as they are left behind
       */
      const childElements = getElementChildren(element);
      /* tslint:disable-next-line */
      for (let childIndex = 0; childIndex < childElements.length; childIndex++) {
        sanitizeElement(childElements[childIndex]);
      }
    }
  });
  /**
   * Go through remaining elements and remove
   * non-allowed attribs
   */
  // IE does not support .children on document fragments, only .childNodes
  const dfChildren = getElementChildren(documentFragment);
  /* tslint:disable-next-line */
  for (let childIndex = 0; childIndex < dfChildren.length; childIndex++) {
    sanitizeElement(dfChildren[childIndex]);
  }
  // Append document fragment to div
  const fragmentDiv = document.createElement('div');
  fragmentDiv.appendChild(documentFragment);
  // First child is always the div we did our work in
  const getInnerDiv = fragmentDiv.querySelector('div');
  return (getInnerDiv !== null) ? getInnerDiv.innerHTML : fragmentDiv.innerHTML;
}
catch (err) {
  console.error(err);
  return '';
}
71};
72/**
* Clean up current element based on allowed attributes
* and then recursively dig down into any child elements to
* clean those up as well
*/
77const sanitizeElement = (element) => {
// IE uses childNodes, so ignore nodes that are not elements
if (element.nodeType && element.nodeType !== 1) {
  return;
}
for (let i = element.attributes.length - 1; i >= 0; i--) {
  const attribute = element.attributes.item(i);
  const attributeName = attribute.name;
  // remove non-allowed attribs
  if (!allowedAttributes.includes(attributeName.toLowerCase())) {
    element.removeAttribute(attributeName);
    continue;
  }
  // clean up any allowed attribs
  // that attempt to do any JS funny-business
  const attributeValue = attribute.value;
  /* tslint:disable-next-line */
  if (attributeValue != null && attributeValue.toLowerCase().includes('javascript:')) {
    element.removeAttribute(attributeName);
  }
}
/**
 * Sanitize any nested children
 */
const childElements = getElementChildren(element);
/* tslint:disable-next-line */
for (let i = 0; i < childElements.length; i++) {
  sanitizeElement(childElements[i]);
}
106};
107/**
* IE doesn't always support .children
* so we revert to .childNodes instead
*/
111const getElementChildren = (el) => {
return (el.children != null) ? el.children : el.childNodes;
113};
114const isSanitizerEnabled = () => {
const win = window;
const config = win && win.Ionic && win.Ionic.config;
if (config) {
  if (config.get) {
    return config.get('sanitizerEnabled', true);
  }
  else {
    return config.sanitizerEnabled === true || config.sanitizerEnabled === undefined;
  }
}
return true;
126};
127const allowedAttributes = ['class', 'id', 'href', 'src', 'name', 'slot'];
128const blockedTags = ['script', 'style', 'iframe', 'meta', 'link', 'object', 'embed'];
129class IonicSafeString {
constructor(value) {
  this.value = value;
}
133}
134
135exports.IonicSafeString = IonicSafeString;
136exports.sanitizeDOMString = sanitizeDOMString;

1	`'use strict';`
2
3	`/**`
4	`* Does a simple sanitization of all elements`
5	`* in an untrusted string`
6	`*/`
7	`const sanitizeDOMString = (untrustedString) => {`
8	`try {`
9	`if (untrustedString instanceof IonicSafeString) {`
10	`return untrustedString.value;`
11	`}`
12	`if (!isSanitizerEnabled() \|\| typeof untrustedString !== 'string' \|\| untrustedString === '') {`
13	`return untrustedString;`
14	`}`
15	`/**`
16	`* Create a document fragment`
17	`* separate from the main DOM,`
18	`* create a div to do our work in`
19	`*/`
20	`const documentFragment = document.createDocumentFragment();`
21	`const workingDiv = document.createElement('div');`
22	`documentFragment.appendChild(workingDiv);`
23	`workingDiv.innerHTML = untrustedString;`
24	`/**`
25	`* Remove any elements`
26	`* that are blocked`
27	`*/`
28	`blockedTags.forEach(blockedTag => {`
29	`const getElementsToRemove = documentFragment.querySelectorAll(blockedTag);`
30	`for (let elementIndex = getElementsToRemove.length - 1; elementIndex >= 0; elementIndex--) {`
31	`const element = getElementsToRemove[elementIndex];`
32	`if (element.parentNode) {`
33	`element.parentNode.removeChild(element);`
34	`}`
35	`else {`
36	`documentFragment.removeChild(element);`
37	`}`
38	`/**`
39	`* We still need to sanitize`
40	`* the children of this element`
41	`* as they are left behind`
42	`*/`
43	`const childElements = getElementChildren(element);`
44	`/* tslint:disable-next-line */`
45	`for (let childIndex = 0; childIndex < childElements.length; childIndex++) {`
46	`sanitizeElement(childElements[childIndex]);`
47	`}`
48	`}`
49	`});`
50	`/**`
51	`* Go through remaining elements and remove`
52	`* non-allowed attribs`
53	`*/`
54	`// IE does not support .children on document fragments, only .childNodes`
55	`const dfChildren = getElementChildren(documentFragment);`
56	`/* tslint:disable-next-line */`
57	`for (let childIndex = 0; childIndex < dfChildren.length; childIndex++) {`
58	`sanitizeElement(dfChildren[childIndex]);`
59	`}`
60	`// Append document fragment to div`
61	`const fragmentDiv = document.createElement('div');`
62	`fragmentDiv.appendChild(documentFragment);`
63	`// First child is always the div we did our work in`
64	`const getInnerDiv = fragmentDiv.querySelector('div');`
65	`return (getInnerDiv !== null) ? getInnerDiv.innerHTML : fragmentDiv.innerHTML;`
66	`}`
67	`catch (err) {`
68	`console.error(err);`
69	`return '';`
70	`}`
71	`};`
72	`/**`
73	`* Clean up current element based on allowed attributes`
74	`* and then recursively dig down into any child elements to`
75	`* clean those up as well`
76	`*/`
77	`const sanitizeElement = (element) => {`
78	`// IE uses childNodes, so ignore nodes that are not elements`
79	`if (element.nodeType && element.nodeType !== 1) {`
80	`return;`
81	`}`
82	`for (let i = element.attributes.length - 1; i >= 0; i--) {`
83	`const attribute = element.attributes.item(i);`
84	`const attributeName = attribute.name;`
85	`// remove non-allowed attribs`
86	`if (!allowedAttributes.includes(attributeName.toLowerCase())) {`
87	`element.removeAttribute(attributeName);`
88	`continue;`
89	`}`
90	`// clean up any allowed attribs`
91	`// that attempt to do any JS funny-business`
92	`const attributeValue = attribute.value;`
93	`/* tslint:disable-next-line */`
94	`if (attributeValue != null && attributeValue.toLowerCase().includes('javascript:')) {`
95	`element.removeAttribute(attributeName);`
96	`}`
97	`}`
98	`/**`
99	`* Sanitize any nested children`
100	`*/`
101	`const childElements = getElementChildren(element);`
102	`/* tslint:disable-next-line */`
103	`for (let i = 0; i < childElements.length; i++) {`
104	`sanitizeElement(childElements[i]);`
105	`}`
106	`};`
107	`/**`
108	`* IE doesn't always support .children`
109	`* so we revert to .childNodes instead`
110	`*/`
111	`const getElementChildren = (el) => {`
112	`return (el.children != null) ? el.children : el.childNodes;`
113	`};`
114	`const isSanitizerEnabled = () => {`
115	`const win = window;`
116	`const config = win && win.Ionic && win.Ionic.config;`
117	`if (config) {`
118	`if (config.get) {`
119	`return config.get('sanitizerEnabled', true);`
120	`}`
121	`else {`
122	`return config.sanitizerEnabled === true \|\| config.sanitizerEnabled === undefined;`
123	`}`
124	`}`
125	`return true;`
126	`};`
127	`const allowedAttributes = ['class', 'id', 'href', 'src', 'name', 'slot'];`
128	`const blockedTags = ['script', 'style', 'iframe', 'meta', 'link', 'object', 'embed'];`
129	`class IonicSafeString {`
130	`constructor(value) {`
131	`this.value = value;`
132	`}`
133	`}`
134
135	`exports.IonicSafeString = IonicSafeString;`
136	`exports.sanitizeDOMString = sanitizeDOMString;`