diff --git a/frappe/public/js/frappe/utils/common.js b/frappe/public/js/frappe/utils/common.js index b324cecd39..1f3558b367 100644 --- a/frappe/public/js/frappe/utils/common.js +++ b/frappe/public/js/frappe/utils/common.js @@ -259,8 +259,16 @@ frappe.utils.xss_sanitise = function (string, options) { '/': '/' }; const REGEX_SCRIPT = /)<[^<]*)*<\/script>/gi; // used in jQuery 1.7.2 src/ajax.js Line 14 + const REGEX_ALERT = /confirm\(.*\)|alert\(.*\)|prompt\(.*\)/gi; // captures alert, confirm, prompt options = Object.assign({}, DEFAULT_OPTIONS, options); // don't deep copy, immutable beauty. + // Rule 3 - TODO: Check event handlers? + // script and alert should be checked first or else it will be escaped + if (options.strategies.includes('js')) { + sanitised = sanitised.replace(REGEX_SCRIPT, ""); + sanitised = sanitised.replace(REGEX_ALERT, ""); + } + // Rule 1 if (options.strategies.includes('html')) { for (let char in HTML_ESCAPE_MAP) { @@ -270,11 +278,6 @@ frappe.utils.xss_sanitise = function (string, options) { } } - // Rule 3 - TODO: Check event handlers? - if (options.strategies.includes('js')) { - sanitised = sanitised.replace(REGEX_SCRIPT, ""); - } - return sanitised; }