cant add script tag

[fateme-ezzati]

I use react sun editor in my next.js project and when I add a script tag in code view the editor delete my tag.
I try to use addTagsWhitelist:"script|button", in my set options but it didnt work.
my code :
`
import React from 'react';
import dynamic from "next/dynamic";
import "suneditor/dist/css/suneditor.min.css";

const SunEditor = dynamic(() => import("suneditor-react"), {
ssr: false,
});
const plugins = dynamic(() => import("suneditor/src/plugins"), {
ssr: false,
});

<SunEditor
defaultValue={this.state.static_page.content}
setContents={this.state.static_page.content}
onChange={this.handleChangeEditor}
setOptions={{
plugins: plugins,
minHeight: '400px',
addTagsWhitelist:"style|script|button",
attributesWhitelist: {
'all': 'style|className|data-.+',
},
buttonList: [
['undo', 'redo'],
['font', 'fontSize', 'formatBlock'],
['paragraphStyle', 'blockquote'],
['bold', 'underline', 'italic', 'strike', 'subscript', 'superscript'],
['fontColor', 'hiliteColor', 'textStyle'],
['removeFormat'],
// '/', // Line break
['outdent', 'indent'],
['align', 'horizontalRule', 'list', 'lineHeight'],
['table', 'link', 'image', 'video', 'audio' /** ,'math' /], // You must add the 'katex' library at options to use the 'math' plugin.
/* ['imageGallery'] */ // You must add the "imageGalleryUrl".
['fullScreen', 'showBlocks', 'codeView'],
['preview', 'print'],
// ['save', 'template']
],
formats: ["p", "div", "h1", "h2", "h3", "h4", "h5", "h6"
],

                        }}
                    />`

[JiHong88]

@fateme-ezzati To prevent XSS attacks, the "script" tag is not allowed.

[richardbrinkman]

I understand that the default is to remove a <script> tag. But it should be possible to override this by adding script to the addTagsWhitelist setting. On my webpage, only a few people, who I totally trust not to insert any XSS attacks, has access to the edit page containing SunEditor. They should be able to add scripts.

The same holds for something like <a href="javascript:...>. This is also removed without a setting to override the removal.

I would really, really want @JiHong88 to reconsider the wontfix label.

For me this is a reason, to consider replacing SunEditor with a different editor.

[JiHong88]

@richardbrinkman ok, I will check it again

[blutorange]

For what it's worth, we also need the option to enable script tags. It should be disabled by default for security reasons, but there are some use cases where this is needed: in our case a backend configuration page where backend users edit HTML snippets which may contain style and script tags.

For the brave, there is a hack to enable script and style tags (this completely disables cleaning, even when pasting, so it's not really a solution):

sunEditor = SUNEDITOR.create(...);
sunEditor.core._deleteDisallowedTags = function(e) {
    // disable all sanitization / HTML cleaning
    return e;
}
var convertContentsForEditorOld = sunEdtitor.core.convertContentsForEditor;
sunEdtitor.core.convertContentsForEditor = function(e) {
   // Wrap in body tag to preserve style and script tags when parsed via DOMParser
    e = `<body>${e}</body>`;
    return convertContentsForEditorOld.call(this, e);
}
sunEdtitor.core.cleanHTML = function(html) {
    return html;
}
// Set the value again because the HTML was cleaned when the sun editor was created initially
sunEditor.setContents(...)

[s-kris]

Allowing script tag would be really appreciated.

[JiHong88]

The 2.45.0 version has been updated.
Thank you.

[achapman009]

I can not seem to set the __allowedScriptTag in the options. Am i missing something?