可编辑的iframe,不允许运行JavaScript

时间:2015-03-01 18:47:22

标签: javascript iframe sandbox

我有一个iframe:

<iframe id="msgContainer" sandbox="allow-same-origin"></iframe>

我想在其中插入HTML,但不要让HTML中包含的任何JavaScript运行(这包括<script>标记和on*属性。我知道如何插入HTML(只使用document.getElementById('msgContainer').contentDocument.body.innerHTML=myHTML,但我想阻止myHTML中的任何JS运行。我尝试这样做的方法是使用sandbox属性并且仅允许-origin,但JS仍在运行。有没有办法做到这一点?

由于

1 个答案:

答案 0 :(得分:0)

除了从插入iframe的html字符串解析JS之外,我找不到任何答案。这是我的代码(如果它可以帮助其他人):

/** Removes javascript from html string
 * html: the string to be cleaned
*/
function clean(html) {
    function stripHTML(){
        html = html.slice(0, strip) + html.slice(j);
        j = strip;
        strip = false;
    }

    var strip = false,
    lastQuote = false,
    tag = false;
    const prefix = "ANYTHING",
    sandbox = " sandbox=''";

    for(var i=0; i<html.length; i++){
        if(html[i] === "<" && html[i+1] && isValidTagChar(html[i+1])) {
            i++;
            tag = false;
            /* Enter element */
            for(var j=i; j<html.length; j++){
                if(!lastQuote && html[j] === ">"){
                    if(strip) {
                        stripHTML();
                    }
                    /* sandbox iframes */
                    if(tag === "iframe"){
                        var index = html.slice(i, j).toLowerCase().indexOf("sandbox");
                        if(index > 0) {
                            html = html.slice(0, i+index) + prefix + html.slice(i+index);
                            j += prefix.length;
                        }
                        html = html.slice(0, j) + sandbox + html.slice(j);
                        j += sandbox.length;
                    }
                    i = j;
                    break;
                }
                if(!tag && html[j] === " "){
                    tag = html.slice(i, j).toLowerCase();
                }
                if(lastQuote === html[j]){
                    lastQuote = false;
                    continue;
                }
                if(!lastQuote && html[j-1] === "=" && (html[j] === "'" || html[j] === '"')){
                    lastQuote = html[j];
                }
                /* Find on statements */
                if(!lastQuote && html[j-2] === " " && html[j-1] === "o" && html[j] === "n"){
                    strip = j-2;
                }
                if(strip && html[j] === " " && !lastQuote){
                    stripHTML();
                }
            }
        }
    }
    html = stripScripts(html);
    return html;
}

/** Returns whether or not the character is a valid first character in a tag
 * str: the first character
*/
function isValidTagChar(str) {
    return str.match(/[a-z?\\\/!]/i);
}

/** Strips scripts from a string of html
 * html: the string of html to be stripped
*/
// NOTE: <script> tags won't run in this context
function stripScripts(html) {
    var div = document.createElement('div');
    div.innerHTML = html;
    var scripts = div.getElementsByTagName('script');
    var i = scripts.length;
    while (i--) {
      scripts[i].parentNode.removeChild(scripts[i]);
    }
    return div.innerHTML;
}
相关问题
最新问题