sanitizeHTML.js
Sanitize and encode all HTML in a user-submitted string to prevent XSS attacks.
/**
* Sanitize and encode all HTML in a user-submitted string
* https://portswigger.net/web-security/cross-site-scripting/preventing
* @param {String} str The user-submitted string
* @return {String} str The sanitized string
*/
function sanitizeHTML (str) {
return str.replace(/javascript:/gi, '').replace(/[^\w-_. ]/gi, function (c) {
return `&#${c.charCodeAt(0)};`;
});
}