From 08bdc7208e374802b31651e309bfd7880061a568 Mon Sep 17 00:00:00 2001
From: Dhruwang Jariwala <67850763+Dhruwang@users.noreply.github.com>
Date: Fri, 29 Dec 2023 05:56:27 +0530
Subject: [PATCH] fix: updated cleanHtml script (#1836)

---
 apps/formbricks-com/lib/cleanHtml.ts  | 14 +++++++++-----
 packages/lib/cleanHtml.ts             | 14 +++++++++-----
 packages/surveys/src/lib/cleanHtml.ts | 21 +++++++++++++--------
 3 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/apps/formbricks-com/lib/cleanHtml.ts b/apps/formbricks-com/lib/cleanHtml.ts
index 252b934666..b61697d3e3 100644
--- a/apps/formbricks-com/lib/cleanHtml.ts
+++ b/apps/formbricks-com/lib/cleanHtml.ts
@@ -38,8 +38,8 @@ export function cleanHtml(str: string): string {
   function isPossiblyDangerous(name: string, value: string): boolean {
     let val = value.replace(/\s+/g, "").toLowerCase();
     if (
-      ["src", "href", "xlink:href"].includes(name) &&
-      (val.includes("javascript:") || val.includes("data:"))
+      ["src", "href", "xlink:href", "srcdoc"].includes(name) &&
+      (val.includes("javascript:") || val.includes("data:") || val.includes("<script>"))
     ) {
       return true;
     }
@@ -57,10 +57,14 @@ export function cleanHtml(str: string): string {
     // Loop through each attribute
     // If it's dangerous, remove it
     let atts = elem.attributes;
-    for (let i = 0; i < atts.length; i++) {
+    for (let i = atts.length - 1; i >= 0; i--) {
       let { name, value } = atts[i];
-      if (!isPossiblyDangerous(name, value)) continue;
-      elem.removeAttribute(name);
+      if (isPossiblyDangerous(name, value)) {
+        elem.removeAttribute(name);
+      } else if (name === "srcdoc") {
+        // Recursively sanitize srcdoc content
+        elem.setAttribute(name, cleanHtml(value));
+      }
     }
   }
 
diff --git a/packages/lib/cleanHtml.ts b/packages/lib/cleanHtml.ts
index 252b934666..b61697d3e3 100644
--- a/packages/lib/cleanHtml.ts
+++ b/packages/lib/cleanHtml.ts
@@ -38,8 +38,8 @@ export function cleanHtml(str: string): string {
   function isPossiblyDangerous(name: string, value: string): boolean {
     let val = value.replace(/\s+/g, "").toLowerCase();
     if (
-      ["src", "href", "xlink:href"].includes(name) &&
-      (val.includes("javascript:") || val.includes("data:"))
+      ["src", "href", "xlink:href", "srcdoc"].includes(name) &&
+      (val.includes("javascript:") || val.includes("data:") || val.includes("<script>"))
     ) {
       return true;
     }
@@ -57,10 +57,14 @@ export function cleanHtml(str: string): string {
     // Loop through each attribute
     // If it's dangerous, remove it
     let atts = elem.attributes;
-    for (let i = 0; i < atts.length; i++) {
+    for (let i = atts.length - 1; i >= 0; i--) {
       let { name, value } = atts[i];
-      if (!isPossiblyDangerous(name, value)) continue;
-      elem.removeAttribute(name);
+      if (isPossiblyDangerous(name, value)) {
+        elem.removeAttribute(name);
+      } else if (name === "srcdoc") {
+        // Recursively sanitize srcdoc content
+        elem.setAttribute(name, cleanHtml(value));
+      }
     }
   }
 
diff --git a/packages/surveys/src/lib/cleanHtml.ts b/packages/surveys/src/lib/cleanHtml.ts
index 2f1054077d..b61697d3e3 100644
--- a/packages/surveys/src/lib/cleanHtml.ts
+++ b/packages/surveys/src/lib/cleanHtml.ts
@@ -21,9 +21,9 @@ export function cleanHtml(str: string): string {
    */
   function removeScripts(html: Element) {
     let scripts = html.querySelectorAll("script");
-    for (let script of scripts) {
+    scripts.forEach((script) => {
       script.remove();
-    }
+    });
   }
 
   /**
@@ -38,8 +38,8 @@ export function cleanHtml(str: string): string {
   function isPossiblyDangerous(name: string, value: string): boolean {
     let val = value.replace(/\s+/g, "").toLowerCase();
     if (
-      ["src", "href", "xlink:href"].includes(name) &&
-      (val.includes("javascript:") || val.includes("data:"))
+      ["src", "href", "xlink:href", "srcdoc"].includes(name) &&
+      (val.includes("javascript:") || val.includes("data:") || val.includes("<script>"))
     ) {
       return true;
     }
@@ -57,9 +57,14 @@ export function cleanHtml(str: string): string {
     // Loop through each attribute
     // If it's dangerous, remove it
     let atts = elem.attributes;
-    for (let { name, value } of atts) {
-      if (!isPossiblyDangerous(name, value)) continue;
-      elem.removeAttribute(name);
+    for (let i = atts.length - 1; i >= 0; i--) {
+      let { name, value } = atts[i];
+      if (isPossiblyDangerous(name, value)) {
+        elem.removeAttribute(name);
+      } else if (name === "srcdoc") {
+        // Recursively sanitize srcdoc content
+        elem.setAttribute(name, cleanHtml(value));
+      }
     }
   }
 
@@ -72,7 +77,7 @@ export function cleanHtml(str: string): string {
    * @param  {Element} html The HTML element
    */
   function clean(html: Element) {
-    let nodes = html.children;
+    let nodes = Array.from(html.children);
     for (let node of nodes) {
       removeAttributes(node);
       clean(node);