I need people to insert the code in my post. My people code is written in the iframe, so that they huli. Those. not src = "url", but srcdoc = "code". It is necessary that such things do not work

window.parent.document.write("<h1>Текст</h1>")

Those. I have such a construction <iframe srcdoc="' + переменная + '"> .

Maybe out of the variable cut "parent"? Without a word you can not get to the parent? Thank.

    1 answer 1

    Alternatively, you can use this regular expression to remove scripts:

     var pattern = /<script(\s+(\w+\s*=\s*("|').*?\3)\s*)*\s*(\/>|>.*?<\/script\s*>)/; var match = HTMLString.match(pattern); // получим массив совпадений с регулярным выражением

    Then you can use the function str.replace ();

    Also for the iframe there is a sandbox attribute that allows you to block forms and scripts.