@@ -27,6 +27,7 @@ export class HomeComponent implements OnInit {
2727 platform
2828 wordpressView ! : SafeHtml
2929 notWordpressDisplay : boolean
30+ private wordpressAssetsLoaded = false
3031
3132 constructor (
3233 _platformInfo : PlatformInfoService ,
@@ -54,9 +55,12 @@ export class HomeComponent implements OnInit {
5455 . subscribe ( )
5556 }
5657 private setupHompage ( ) {
58+ // Note: scripts inserted via [innerHTML] won't execute. We must load the
59+ // required CSS/JS via real DOM nodes.
5760 return this . setupCss ( ) . pipe (
5861 switchMap ( ( ) => this . setupHtml ( ) ) ,
59- switchMap ( ( ) => this . setupJs ( ) )
62+ switchMap ( ( ) => this . setupJs ( ) ) ,
63+ switchMap ( ( ) => this . setupModulesJs ( ) )
6064 )
6165 }
6266
@@ -73,18 +77,40 @@ export class HomeComponent implements OnInit {
7377 setupJs ( ) {
7478 return this . wordpressService . getHomePageJS ( ) . pipe (
7579 tap ( ( js ) => {
80+ if ( this . wordpressAssetsLoaded ) return
7681 const script = this . document . createElement ( 'script' )
7782 script . innerHTML = js
7883 this . document . body . appendChild ( script )
7984 } )
8085 )
8186 }
8287
88+ setupModulesJs ( ) {
89+ return this . wordpressService . getHomePageModulesJS ( ) . pipe (
90+ tap ( ( js ) => {
91+ if ( this . wordpressAssetsLoaded ) return
92+ const script = this . document . createElement ( 'script' )
93+ script . type = 'module'
94+ script . innerHTML = js
95+ this . document . body . appendChild ( script )
96+ this . wordpressAssetsLoaded = true
97+ } )
98+ )
99+ }
100+
83101 setupHtml ( ) {
84102 return this . wordpressService . getHomePagePost ( ) . pipe (
85103 tap ( ( html ) => {
86- this . wordpressView = this . sanitizer . bypassSecurityTrustHtml ( html )
87- this . wordpressView
104+ // Parse and render only body content. Any <link>/<script> tags in the
105+ // fetched HTML would not execute when injected via [innerHTML] anyway.
106+ const parser = new DOMParser ( )
107+ const doc = parser . parseFromString ( html , 'text/html' )
108+
109+ doc . querySelectorAll ( 'script,link[rel="stylesheet"]' ) . forEach ( ( n ) => n . remove ( ) )
110+
111+ this . wordpressView = this . sanitizer . bypassSecurityTrustHtml (
112+ doc . body ?. innerHTML ?? html
113+ )
88114 } )
89115 )
90116 }
0 commit comments