Preventing xss manipulation using onerror with the antiscript setting.

2025-09-13 12:29:42 +02:00 · 2021-06-27 00:24:19 +02:00
parent eef4ef54a1
commit 6b9462f606
3 changed files with 105 additions and 2 deletions
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -27,8 +27,9 @@ export const removeScript = txt => {
    }
  }

-  rs = rs.replace('javascript:', '#');
-  rs = rs.replace('<iframe', '');
+  rs = rs.replace(/javascript:/g, '#');
+  rs = rs.replace(/onerror=/g, 'onerror:');
+  rs = rs.replace(/<iframe/g, '');

  return rs;
 };