From b2fd0139e3549eb2d06e95c53347d5242375fe49 Mon Sep 17 00:00:00 2001
From: Stivali Serna <stivaliserna08@gmail.com>
Date: Fri, 1 Dec 2023 13:39:29 +0100
Subject: [PATCH] feat(packages/sui-js): exclude all dangerous html elements

---
 packages/sui-js/src/react/index.js | 35 +++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/packages/sui-js/src/react/index.js b/packages/sui-js/src/react/index.js
index 32c070149..d0d3d4072 100644
--- a/packages/sui-js/src/react/index.js
+++ b/packages/sui-js/src/react/index.js
@@ -1,10 +1,43 @@
 import htmr from 'htmr'
 
+// This is a list of all the elements that should not be allowed to be rendered as they pose a security risk.
+// See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element
+// If you want to allow one of these elements, you can add it to the `transform` object in the `options`.
+export const DANGEROUS_TRANSFORMS = {
+  area: () => null,
+  audio: () => null,
+  base: () => null,
+  canvas: () => null,
+  embed: () => null,
+  form: () => null,
+  frame: () => null,
+  frameset: () => null,
+  head: () => null,
+  html: () => null,
+  iframe: () => null,
+  img: () => null,
+  link: () => null,
+  map: () => null,
+  meta: () => null,
+  noscript: () => null,
+  object: () => null,
+  picture: () => null,
+  portal: () => null,
+  script: () => null,
+  slot: () => null,
+  source: () => null,
+  style: () => null,
+  template: () => null,
+  title: () => null,
+  track: () => null,
+  video: () => null
+}
+
 export const htmlStringToReactElement = (string, options) =>
   htmr(string, {
     ...options,
     transform: {
-      script: () => null,
+      ...DANGEROUS_TRANSFORMS,
       ...options?.transform
     }
   })