fix(security): iframe srcdoc atrribute can lead to arbitrary code execution (#4762)

This commit is contained in:
Huang Xin
2026-06-24 22:01:18 +08:00
committed by GitHub
parent 7da5f83213
commit 005aa2d615
@@ -17,7 +17,8 @@ export const sanitizerTransformer: Transformer = {
const sanitized = DOMPurify.sanitize(result, {
WHOLE_DOCUMENT: true,
FORBID_TAGS: ['script'],
FORBID_TAGS: ['script', 'iframe', 'object', 'embed'],
FORBID_ATTR: ['srcdoc'],
ALLOWED_URI_REGEXP:
/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|blob|data):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
ADD_TAGS: ['link', 'meta'],