brianhansonxyz/rspade_system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add safe_html() for XSS-safe WYSIWYG HTML sanitization

Browse Source 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
root
2025-12-25 23:39:42 +00:00
parent 1322bbf988
commit 1abbac58e7
419 changed files with 39662 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/RSpade/Core/Js/functions.js
View File

@@ -285,6 +285,23 @@ function html(str) {
return _.escape(str);
}
/**
* Sanitizes HTML from WYSIWYG editors to prevent XSS attacks
*
* Uses DOMPurify to filter potentially malicious HTML while preserving
* safe formatting tags. Suitable for user-generated rich text content.
*
* @param {string} html_string - HTML string to sanitize
* @returns {string} Sanitized HTML safe for display
*/
function safe_html(html_string) {
return DOMPurify.sanitize(html_string, {
ALLOWED_TAGS: ['p', 'br', 'strong', 'b', 'em', 'i', 'u', 's', 'strike', 'a', 'ul', 'ol', 'li', 'blockquote', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'pre', 'code', 'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span'],
ALLOWED_ATTR: ['href', 'title', 'target', 'src', 'alt', 'width', 'height', 'class'],
ALLOW_DATA_ATTR: false,
});
}
/**
* Converts newlines to HTML line breaks
* @param {string} str - String to convert