6 Matching Annotations
  1. Aug 2022
    1. Sanitizing iframes

      ```html

      <iframe id="webpage"></iframe>

      <br/> <button onclick="sanitize()">Sanitize</button>

      <script> function sanitize() { // Create a sanitizer object with the default config const sanitizer = new Sanitizer(); // Find the iframe node const iframe = document.getElementById('webpage'); // Sanitize the iframe's document node const sanitizedFrameNodes = sanitizer.sanitize(iframe.contentWindow.document); iframe.replaceChildren(sanitizeFrameNodes); } </script>

      ```

    1. The setHTML() method of the Element interface is used to parse and sanitize a string of HTML and then insert it into the DOM as a subtree of the element. It should be used instead of Element.innerHTML for inserting untrusted strings of HTML into an element.

      ```js const unsanitized_string = "abc <script>alert(1)<" + "/script> def"; // Unsanitized string of HTML const sanitizer1 = new Sanitizer(); // Default sanitizer;

      // Get the Element with id "target" and set it with the sanitized string. document.getElementById("target").setHTML(unsanitized_string, {sanitizer: sanitizer1});

      // Result (as a string): "abc def" ```