Skip to content

Commit 4700cdb

Browse files
committed
remove style and script tags
1 parent 6dc0d5e commit 4700cdb

3 files changed

Lines changed: 9 additions & 2 deletions

File tree

cypress/e2e/block.cy.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -310,7 +310,7 @@ context('Pattern Css', () => {
310310
.invoke('text')
311311
.should(
312312
'contain',
313-
'background-image:url(https://foo.com/bar.jpg?</style><script>alert\\(1\\)</script>)',
313+
'background-image:url(https://foo.com/bar.jpg?</style><script>alert\\(1\\)</script>)',
314314
);
315315
});
316316
});

src/components/BlockControl.tsx

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import { focusAtEndOfLine2 } from '../lib/dom';
2323
import { EditorControls } from './EditorControls';
2424
import { store as coreStore } from '@wordpress/editor';
2525
import { addToClassList } from '../lib/classes';
26+
import { escapeCSS } from '../lib/formatting';
2627

2728
export const BlockControl = (
2829
// eslint-disable-next-line
@@ -59,7 +60,7 @@ export const BlockControl = (
5960
return;
6061
}
6162
setWarnings([]);
62-
setCss(css);
63+
setCss(escapeCSS(css));
6364

6465
if (!window.patternCss?.transform) return;
6566

src/lib/formatting.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
export const escapeCSS = (url: string) =>
2+
url
3+
.replace(/<\s*script\s*>/gi, '&lt;script&gt;')
4+
.replace(/<\s*\/\s*script\s*>/gi, '&lt;/script&gt;')
5+
.replace(/<\s*style\s*>/gi, '&lt;style&gt;')
6+
.replace(/<\s*\/\s*style\s*>/gi, '&lt;/style&gt;');

0 commit comments

Comments
 (0)