feat: make HTML attribute sanitization stricter (#8977)

* feat: make HTML attribute sanitization stricter * fix double escape
2025-05-03 10:00:07 -04:00 · 2025-01-05 21:45:04 +01:00 · 2025-01-05 21:45:04 +01:00 · b63689c230
commit b63689c230
parent c84babf574
5 changed files with 32 additions and 12 deletions
--- a/packages/excalidraw/utils.ts
+++ b/packages/excalidraw/utils.ts
@ -1225,3 +1225,16 @@ export class PromisePool<T> {
    });
  }
 }
+
+export const sanitizeHTMLAttribute = (html: string) => {
+  return (
+    html
+      // note, if we're not doing stupid things, escaping " is enough,
+      // but we might end up doing stupid things
+      .replace(/&/g, "&amp;")
+      .replace(/"/g, "&quot;")
+      .replace(/'/g, "&#39;")
+      .replace(/>/g, "&gt;")
+      .replace(/</g, "&lt;")
+  );
+};