You can override JQuery's htmlPrefilterfunction:
htmlPrefilter: function( html ) {
return html;
},
If special character are the issue then try escaping them like this:
// trying to set following string as innerHTML
let c = '<qssQ5GkdwWU=7;//<';
// with default jquery
$('.one').html(c);
// modify filter function, and do your own character escaping
jQuery.htmlPrefilter = function(html) {
let clean = html.replace(/[&<"']/g, function(m) {
switch (m) {
case '&':
return '&';
case '<':
return '<';
case '"':
return '"';
default:
return ''';
}
});
return clean;
}
// now try on second div
$('.two').html(c);<script src="https://code.jquery.com/jquery-3.6.0.js"></script>
One:<span class="one"></span><br>
Two:<span class="two"></span><br>Execute above script preferably before you load Redactor.
If you decide to do your own sanitization then you could use DOMPurify or similar library.
let content = 'Malicius content <img src="https://dummyimage.com/30" onload="this.style.border=`2px solid red`;alert(`attacked! :p`);" >';
// default jquery
$('.one').html(content);
// modify filter function, do your own sanitization
jQuery.htmlPrefilter = function(html) {
html = DOMPurify.sanitize(html);
console.log('sanitized: ', html)
return html;
}
// trying on second div
$('.two').html(content);<script src="https://code.jquery.com/jquery-3.6.0.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.4/purify.min.js" integrity="sha512-jGh38w63cHRzfBHtyKgEMMkJswUFXDA3YXrDjaE8ptzxV5DDkLDUDjtGUy5tmDkOXHWsItKfFjocaEtj1WuVnQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
One:<span class="one"></span><br> Two:
<span class="two"></span><br>First image gets red border. And because of the sanitization second doesn't.