github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-21 17:26:29 -05:00
Code Issues Projects Releases Packages Wiki Activity

Updated XSS filter options to allow style tag and style attribute

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-02-11 14:33:21 -06:00
parent 4c4a0e0f3f
commit 2a774064af
1 changed files with 21 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
public/js/render.js
View file

@ -1,13 +1,23 @@
function preventXSS(html) {
var options = {
allowCommentTag: true,
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
// allow attr start with 'data-' or equal 'id' and 'class'
if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
// escape its value using built-in escapeAttrValue function
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
var whiteListAttr = ['id', 'class', 'style'];
var filterXSSOptions = {
allowCommentTag: true,
onIgnoreTag: function (tag, html, options) {
// allow style in html
if (tag === 'style') {
// do not filter its attributes
return html;
}
};
return filterXSS(html, options);
},
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
// allow attr start with 'data-' or in the whiteListAttr
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
// escape its value using built-in escapeAttrValue function
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
}
};
function preventXSS(html) {
return filterXSS(html, filterXSSOptions);
}