Safe by default content option

tsmith14 · Jul 23, 2016 · 3d02df1 · 3d02df1
1 parent 1142c9f
commit 3d02df1
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/src/vex.js b/src/vex.js
@@ -6,6 +6,17 @@ require('es6-object-assign').polyfill()
 // String to DOM function
 var domify = require('domify')
 
+// Use the DOM's HTML parsing to escape any dangerous strings
+var escapeHtml = function escapeHtml (str) {
+  if (typeof str !== 'undefined') {
+    var div = document.createElement('div')
+    div.appendChild(document.createTextNode(str))
+    return div.innerHTML
+  } else {
+    return ''
+  }
+}
+
 // Detect CSS Animation End Support
 // https://github.com/limonte/sweetalert2/blob/99bd539f85e15ac170f69d35001d12e092ef0054/src/utils/dom.js#L194
 var animationEndEvent = (function detectAnimationEndEvent () {
@@ -147,6 +158,15 @@ var vex = {
         content: opts
       }
     }
+
+    // `content` is unsafe internally, so translate
+    // safe default: HTML-escape the content before passing it through
+    if (opts.unsafeContent && !opts.content) {
+      opts.content = opts.unsafeContent
+    } else if (opts.content) {
+      opts.content = escapeHtml(opts.content)
+    }
+
     // Store options on instance for future reference
     var options = vexInstance.options = Object.assign({}, vex.defaultOptions, opts)