Customer Banners (Ads) - SpiceUp. AX and SpotfireX Disclaimer
If you find this site useful and you want to support, buy me a coffee   to keep this site alive and without ads.

bypass html sanitation

To bypass html sanitation, just wrap your html with a <code> tag and add a single line of code in a js file. The file will replace the <code> tag with its contents

html

<input value="inputs not supported:"/>
<button onclick=msg('spotfire developer')>not supported</button>
<a title="not supported! really?" href="#">test</a>
<script>
  function msg(name){alert(`hello ${name}`)}
</script>

<hr>

<code>
 <input value="inputs now supported:"/>
 <button onclick="msg('spotfire developer')">now supported</button>
 <a title="titles are now supported" href="#">mouse over to see tooltip (title attribute)</a>
 <script>
 function msg(name){alert(`good job ${name}`)}
 </script>
</code>


js method 1

//parses all code tags, but 
//does not parses properly the script tag
document.querySelectorAll("code").forEach(el=>{
 el.innerHTML = el.innerText
})

//use jQuery if you need to parse the <script> tag
//var $ = window.CustomJQuery;
//$("code").html($($("code")[0].innerText))  //parse first code tag


js method 2

codeElement = document.querySelector("code")
code = codeElement.textContent;
eval(code)
codeElement.remove()

//another way

   let cont = $("#"+id).contents().wrap('<span></span>').detach();
   $(`#${id}`).html(html)
   $(`#${id}_contents`).html(cont)








No comments:

Post a Comment

Subscribe to: Post Comments (Atom)