jQuery(function ($) { var selector = null; var lightbox = null; // Whitelist of allowed HTML elements and their allowed attributes. var allowedTags = { a: ["href", "title", "target", "rel"], b: [], i: [], u: [], em: [], strong: [], p: [], br: [], span: ["class", "id", "style"], img: ["src", "alt", "title"], h1: [], h2: [], h4: [], h4: [], h5: [], h6: [], ul: [], ol: [], li: [], }; // Function to sanitize HTML, allowing only certain tags and attributes. var sanitizeHTML = function (str) { // Create a temporary DOM element to parse the HTML string. var tempDiv = document.createElement("div"); tempDiv.innerHTML = str; // Iterate through all elements. var elements = tempDiv.querySelectorAll("*"); elements.forEach(function (el) { var tagName = el.tagName.toLowerCase(); // If the tag is not allowed, replace the element with its content. if (!allowedTags.hasOwnProperty(tagName)) { el.replaceWith(el.innerHTML); return; } // If the tag is allowed, check attributes. var allowedAttributes = allowedTags[tagName]; // Loop through each attribute of the element. for (var i = el.attributes.length - 1; i >= 0; i--) { var attrName = el.attributes[i].name; var attrValue = el.attributes[i].value; // Remove attributes that are not allowed for this tag. if (!allowedAttributes.includes(attrName)) { el.removeAttribute(attrName); } // Additional checks to sanitize certain attributes like href, src. if ( ["href", "src"].includes(attrName) && attrValue.startsWith("javascript:") ) { el.removeAttribute(attrName); // Remove dangerous URLs. } // Sanitize the title attribute (if allowed). if (attrName === "title") { el.setAttribute("title", sanitizeTitle(attrValue)); // Sanitize the title value. } } }); // Return the sanitized HTML as a string. var sanitizedText = tempDiv.innerHTML; return sanitizedText.replace(/\\/g, ""); }; // Helper function to sanitize the content of the title attribute. var sanitizeTitle = function (title) { // Replace potential XSS characters in the title. return title .replace(//g, ">") .replace(/"/g, """); }; // Function to sanitize captions in the DOM elements. var sanitizeCaptions = function () { $(".ngg-simplelightbox").each(function () { var caption = $(this).attr("title"); if (caption) { // Sanitize the caption and update the element attribute. var sanitizedCaption = sanitizeHTML(caption); $(this).attr("title", sanitizedCaption); } }); }; var nextgen_simplebox_options = { history: false, animationSlide: false, animationSpeed: 100, captionSelector: "self", }; var nextgen_simplelightbox_init = function () { // Sanitize all captions before initializing the lightbox. sanitizeCaptions(); // Initialize SimpleLightbox. selector = nextgen_lightbox_filter_selector($, $(".ngg-simplelightbox")); if (selector.length > 0) { lightbox = selector.simpleLightbox(nextgen_simplebox_options); } }; nextgen_simplelightbox_init(); $(window).on("refreshed", function () { if (lightbox) { lightbox.destroy(); } // Sanitize captions again after refresh. sanitizeCaptions(); // Re-initialize SimpleLightbox. selector = nextgen_lightbox_filter_selector($, $(".ngg-simplelightbox")); if (selector.length > 0) { lightbox = selector.simpleLightbox(nextgen_simplebox_options); } }); });