📄 src/models/sanitizer.ts
D-OPEN SOVEREIGN

Documentation & Insights

Simple XSS sanitizer to filter out HTML tags and dangerous protocols.
Used for sanitizing text properties in patches saved to and loaded from the blockchain.
1/*
2 * Copyright (c) 2026 DataPond D-Library Pty Ltd. ("The Sanctuary")
3 * Non-Profit Public Library — The World Library
4 * 
5 * D-SAFE Certification issued by POND Enterprise.
6 * Published under the D-Open Code Sovereign Licence v1.0 framework
7 * DataPond D-Library All exclusive Right reserved on modifiying the code - CC Attribution to data pond, Non modifiable, Non Commercial.
8 * https://registry.world.bibliotech.com/licence
9 * Source code donated to DataPond D-Library by it's author: data pond.
10 * 
11 * Technical Guardian ("The Shield"): Pond Enterprise Pty Ltd. (ACN 694 747 987)
12 * All liability claims about D-SAFE certification issues coming from the published D-Safe direction must be addressed with Pond Enterprise Pty Ltd.
13 * Code Modification automatically voids the certified liability protection provided by Pond Enterprise.
14 */
15/**
16 * Simple XSS sanitizer to filter out HTML tags and dangerous protocols.
17 * Used for sanitizing text properties in patches saved to and loaded from the blockchain.
18 */
19export function sanitizeText(text: string): string {
20  if (typeof text !== 'string') return text;
21
22  // 1. Strip all HTML tags (aggressive approach as requested/approved)
23  let sanitized = text.replace(/<\/?[^>]+(>|$)/g, "");
24
25  // 2. Decode common HTML entities to prevent obfuscated XSS (e.g., &lt;script&gt;)
26  // For now, we mainly care about preventing actual tag injection.
27  
28  // 3. Remove "javascript:", "data:", "vbscript:" protocols which can be exploited in URLs
29  // case-insensitive and handles some common obfuscation
30  const dangerousProtocols = /javascript:|data:|vbscript:|onclick|onerror|onload|onmouseover/gi;
31  sanitized = sanitized.replace(dangerousProtocols, "[REDACTED]");
32
33  return sanitized;
34}
35