General: Leverage DOMParser to implement wp.sanitize.stripTags().

westonruter · westonruter · commit 8867703b7d56 · 2025-12-03T18:07:53.000Z
Developed in #10536 Follow-up to [60907]. Props hbhalodia, dmsnell, westonruter. See #48054. Fixes #64274. git-svn-id: https://develop.svn.wordpress.org/trunk@61347 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/js/_enqueues/wp/sanitize.js b/src/js/_enqueues/wp/sanitize.js
@@ -23,22 +23,25 @@
 		 * @return {string} Stripped text.
 		 */
 		stripTags: function( text ) {
-			let _text = text || '';
+			const domParser = new DOMParser();
+			const htmlDocument = domParser.parseFromString(
+				text,
+				'text/html'
+			);
 
-			// Do the search-replace until there is nothing to be replaced.
-			do {
-				// Keep pre-replace text for comparison.
-				text = _text;
-
-				// Do the replacement.
-				_text = text
-					.replace( /<!--[\s\S]*?(-->|$)/g, '' )
-					.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
-					.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
-			} while ( _text !== text );
+			/*
+			 * The following self-assignment appears to be a no-op, but it isn't.
+			 * It enforces the escaping. Reading the `innerText` property decodes
+			 * character references, returning a raw string. When written, however,
+			 * the text is re-escaped to ensure that the rendered text replicates
+			 * what it's given.
+			 *
+			 * See <https://github.com/WordPress/wordpress-develop/pull/10536#discussion_r2550615378>.
+			 */
+			htmlDocument.body.innerText = htmlDocument.body.innerText;
 
 			// Return the text with stripped tags.
-			return _text;
+			return htmlDocument.body.innerHTML;
 		},
 
 		/**
