all files / src/ ve.sanitize.js

100% Statements 3/3
100% Branches 0/0
100% Functions 1/1
100% Lines 3/3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32                                                         
/*!
 * VisualEditor HTML sanitization utilities.
 *
 * @copyright 2011-2019 VisualEditor Team and others; see http://ve.mit-license.org
 */
 
/* global DOMPurify */
 
/**
 * Parse and sanitize an HTML string, making user HTML safe to load on the page
 *
 * @param {string} html HTML
 * @return {NodeList} Node list
 */
ve.sanitizeHtml = function ( html ) {
	// TODO: Move MW-specific rules to ve-mw
	var addTags = [ 'figure-inline' ],
		addAttrs = [
			'srcset',
			// RDFa
			'about', 'rel', 'resource', 'property', 'content', 'datatype', 'typeof'
		];
	return DOMPurify.sanitize( html, {
		ADD_TAGS: addTags,
		ADD_ATTR: addAttrs,
		ADD_URI_SAFE_ATTR: addAttrs,
		FORBID_TAGS: [ 'style' ],
		FORCE_BODY: true,
		RETURN_DOM_FRAGMENT: true
	} ).childNodes;
};