diff --git a/packages/js/currency/src/test/index.ts b/packages/js/currency/src/test/index.ts
index 3f6ef2529de..f3bdf8c1b68 100644
--- a/packages/js/currency/src/test/index.ts
+++ b/packages/js/currency/src/test/index.ts
@@ -102,4 +102,20 @@ describe( 'currency.formatDecimalString', () => {
// @ts-expect-error formatAccount expects a number or string;
expect( currency.formatDecimalString( null ) ).toBe( '' );
} );
+
+ it( 'should strip tags in getPriceFormat', () => {
+ const currency = Currency();
+
+ expect(
+ currency.getPriceFormat( {
+ priceFormat: 'tagformat',
+ } )
+ ).toBe( 'tagformat' );
+
+ expect(
+ currency.getPriceFormat( {
+ priceFormat: 'format',
+ } )
+ ).toBe( 'format' );
+ } );
} );
diff --git a/packages/js/currency/src/utils.tsx b/packages/js/currency/src/utils.tsx
index 2a8901991fa..b0807de6866 100644
--- a/packages/js/currency/src/utils.tsx
+++ b/packages/js/currency/src/utils.tsx
@@ -66,9 +66,17 @@ const CurrencyFactoryBase = function ( currencySetting?: CurrencyConfig ) {
let currency: Currency;
function stripTags( str: string ) {
- const tmp = document.createElement( 'DIV' );
- tmp.innerHTML = str;
- return tmp.textContent || tmp.innerText || '';
+ // sanitize Polyfill - see https://github.com/WordPress/WordPress/blob/master/wp-includes/js/wp-sanitize.js
+ const strippedStr = str
+ .replace( /|$)/g, '' )
+ .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/gi, '' )
+ .replace( /<\/?[a-z][\s\S]*?(>|$)/gi, '' );
+
+ if ( strippedStr !== str ) {
+ return stripTags( strippedStr );
+ }
+
+ return strippedStr;
}
/**