Use dompurify to sanitize text input

eKoopmans · eKoopmans · commit eed521d39050 · 2026-01-11T19:50:17.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -28,6 +28,7 @@
   },
   "homepage": "https://ekoopmans.github.io/html2pdf.js/",
   "dependencies": {
+    "dompurify": "^3.3.1",
     "html2canvas": "^1.0.0",
     "jspdf": "^4.0.0"
   },
diff --git a/src/utils.js b/src/utils.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 // Determine the type of a variable/object.
 export const objType = function objType(obj) {
   var type = typeof obj;
@@ -14,14 +16,9 @@ export const objType = function objType(obj) {
 // Create an HTML element with optional className, innerHTML, and style.
 export const createElement = function createElement(tagName, opt) {
   var el = document.createElement(tagName);
-  if (opt.className)  el.className = opt.className;
-  if (opt.innerHTML) {
-    el.innerHTML = opt.innerHTML;
-    var scripts = el.getElementsByTagName('script');
-    for (var i = scripts.length; i-- > 0; null) {
-      scripts[i].parentNode.removeChild(scripts[i]);
-    }
-  }
+  if (opt.className) el.className = opt.className;
+  if (opt.innerHTML) el.innerHTML = DOMPurify.sanitize(opt.innerHTML);
+
   for (var key in opt.style) {
     el.style[key] = opt.style[key];
   }
