From 0446cda2c4eb8d1d776bc85113425daf87d5d185 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Wed, 1 Mar 2023 14:30:46 +0530
Subject: [PATCH] fix: use `DOMParser` instead of `createElement` to remove
 script and style (#20196)

---
 frappe/public/js/frappe/dom.js | 41 ++++++++++++++--------------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/frappe/public/js/frappe/dom.js b/frappe/public/js/frappe/dom.js
index 2dec7e587d..2e4fec371c 100644
--- a/frappe/public/js/frappe/dom.js
+++ b/frappe/public/js/frappe/dom.js
@@ -34,35 +34,28 @@ frappe.dom = {
 	},
 	remove_script_and_style: function (txt) {
 		const evil_tags = ["script", "style", "noscript", "title", "meta", "base", "head"];
-		const regex = new RegExp(evil_tags.map((tag) => `<${tag}>.*<\\/${tag}>`).join("|"), "s");
-		if (!regex.test(txt)) {
-			// no evil tags found, skip the DOM method entirely!
-			return txt;
-		}
+		const parser = new DOMParser();
+		const doc = parser.parseFromString(txt, "text/html");
+		const body = doc.body;
+		let found = !!doc.head.innerHTML;
 
-		var div = document.createElement("div");
-		div.innerHTML = txt;
-		var found = false;
-		evil_tags.forEach(function (e) {
-			var elements = div.getElementsByTagName(e);
-			i = elements.length;
-			while (i--) {
+		for (const tag of evil_tags) {
+			for (const element of body.getElementsByTagName(tag)) {
 				found = true;
-				elements[i].parentNode.removeChild(elements[i]);
-			}
-		});
-
-		// remove links with rel="stylesheet"
-		var elements = div.getElementsByTagName("link");
-		var i = elements.length;
-		while (i--) {
-			if (elements[i].getAttribute("rel") == "stylesheet") {
-				found = true;
-				elements[i].parentNode.removeChild(elements[i]);
+				element.parentNode.removeChild(element);
 			}
 		}
+
+		for (const element of body.getElementsByTagName("link")) {
+			const relation = element.getAttribute("rel");
+			if (relation && relation.toLowerCase().trim() === "stylesheet") {
+				found = true;
+				element.parentNode.removeChild(element);
+			}
+		}
+
 		if (found) {
-			return div.innerHTML;
+			return body.innerHTML;
 		} else {
 			// don't disturb
 			return txt;