diff --git a/CHANGELOG b/CHANGELOG
index f943e041..136c172b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
* Keep context in sessionStorage
* Use existing context for get_preferences
diff --git a/COPYRIGHT b/COPYRIGHT
index adcd731d..5e599710 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Nicolas Évrard.
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/Gruntfile.js b/Gruntfile.js
index 087920a4..990c6c59 100644
--- a/Gruntfile.js
+++ b/Gruntfile.js
@@ -23,7 +23,8 @@ module.exports = function(grunt) {
'src/wizard.js',
'src/board.js',
'src/bus.js',
- 'src/plugins.js'
+ 'src/plugins.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff --git a/src/html_sanitizer.js b/src/html_sanitizer.js
new file mode 100644
index 00000000..7e38cd19
--- /dev/null
+++ b/src/html_sanitizer.js
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+ 'use strict';
+
+ var tag_whitelist = {
+ B: true,
+ BODY: true,
+ BR: true,
+ DIV: true,
+ FONT: true,
+ I: true,
+ U: true,
+ };
+
+ var attribute_whitelist = {
+ align: true,
+ color: true,
+ face: true,
+ size: true,
+ };
+
+ Sao.HtmlSanitizer = {};
+ Sao.HtmlSanitizer.sanitize = function(input) {
+ input = input.trim();
+ // to save performance and not create iframe
+ if (input == "") return "";
+
+ // firefox "bogus node" workaround
+ if (input == "
") return "";
+
+ var iframe = document.createElement('iframe');
+ if (iframe.sandbox === undefined) {
+ // Browser does not support sandboxed iframes
+ console.warn("Your browser do not support sandboxed iframes," +
+ " unable to sanitize HTML.");
+ return input;
+ }
+ iframe.sandbox = 'allow-same-origin';
+ iframe.style.display = 'none';
+ // necessary so the iframe contains a document
+ document.body.appendChild(iframe);
+ var iframedoc = (iframe.contentDocument ||
+ iframe.contentWindow.document);
+ // null in IE
+ if (iframedoc.body == null) {
+ iframedoc.write("