我希望 dompurify
允许 iframe 标签,并且我将 iframe
添加为异常(exception) (ADD_TAGS
)。但这会删除它的某些属性。我希望所有属性都在那里。
<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/1.0.3/purify.min.js"></script> </head>
<body>
<!-- Our DIV to receive content -->
<div id="sanitized"></div>
<!-- Now let's sanitize that content -->
<script>
/* jshint globalstrict:true, multistr:true */
/* global DOMPurify */
'use strict';
// Specify dirty HTML
var dirty = '<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" scrolling="no" src="https://www.youtube.com/embed/vJG698U2Mvo" width="560"></iframe>';
var config = { ADD_TAGS: ['iframe'], KEEP_CONTENT: false }
// Clean HTML string and write into our DIV
var clean = DOMPurify.sanitize(dirty, config);
console.log('clean: ', clean)
document.getElementById('sanitized').innerHTML = clean;
</script>
</body>
</html>
这是清理后的输出
"clean: <iframe width='560' src='https://www.youtube.com/embed/vJG698U2Mvo' height='315'></iframe>"
最佳答案
如果您只想允许 iframe 标签,请使用 ALLOWED_TAGS 而不是 ADD_TAGS,它允许默认允许的标签和默认不允许的 iframe 标签。
允许所有默认标签和 iframe 标签:
DOMPurify.sanitize(dirty, { ADD_TAGS: ["iframe"], ADD_ATTR: ['allow', 'allowfullscreen', 'frameborder', 'scrolling'] });
只允许 iframe 标签:
DOMPurify.sanitize(dirty, { ALLOWED_TAGS: ["iframe"], ADD_ATTR: ['allow', 'allowfullscreen', 'frameborder', 'scrolling'] });
关于javascript - 如何允许 `dompurify` 中的 iframe 标记包括其所有属性,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60299226/