You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// Clobbering-safe access. A document *from `DOMParser` specifically* doesn't seem to have named property access on Chromium 146, but nothing in the DOM/HTML/`DOMParser` specs distinguish that case as far as I can tell; anyway, it does have named property access on Firefox 149.
* Parses a string of HTML into a partially sanitized container element if the environment supports the HTML Sanitizer API, and an unsanitized one otherwise.
230
+
*
231
+
* This partial sanitization removes attributes that are never allowed on any element (especially `name` and `id`, preventing clobbering) and anything that can execute scripts (try not to reintroduce such things in `weasylMarkdown`) as defense in depth. Unfortunately, `<script>`, `<iframe>`, and `<object>` elements are completely removed, instead of behaving like `defang`; configuring these as `replaceWithChildrenElements` doesn't work with "safe" functions. `javascript:` links are also removed instead of getting the `replaceBadLinks` treatment.
232
+
*/
233
+
letparseHtml;
234
+
235
+
if(Document.parseHTML){
236
+
// some of this configuration is already implied by the use of a "safe" function like `parseHTML`, but it's nice to be explicit
0 commit comments