mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-29 02:04:30 -05:00
Updated XSS filter options to allow style tag and style attribute
This commit is contained in:
parent
4c4a0e0f3f
commit
2a774064af
1 changed files with 21 additions and 11 deletions
|
@ -1,13 +1,23 @@
|
||||||
function preventXSS(html) {
|
var whiteListAttr = ['id', 'class', 'style'];
|
||||||
var options = {
|
|
||||||
|
var filterXSSOptions = {
|
||||||
allowCommentTag: true,
|
allowCommentTag: true,
|
||||||
|
onIgnoreTag: function (tag, html, options) {
|
||||||
|
// allow style in html
|
||||||
|
if (tag === 'style') {
|
||||||
|
// do not filter its attributes
|
||||||
|
return html;
|
||||||
|
}
|
||||||
|
},
|
||||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||||
// allow attr start with 'data-' or equal 'id' and 'class'
|
// allow attr start with 'data-' or in the whiteListAttr
|
||||||
if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
|
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
|
||||||
// escape its value using built-in escapeAttrValue function
|
// escape its value using built-in escapeAttrValue function
|
||||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
return filterXSS(html, options);
|
|
||||||
|
function preventXSS(html) {
|
||||||
|
return filterXSS(html, filterXSSOptions);
|
||||||
}
|
}
|
Loading…
Reference in a new issue