mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-22 01:36:29 -05:00
Updated XSS filter options to allow style tag and style attribute
This commit is contained in:
parent
4c4a0e0f3f
commit
2a774064af
1 changed files with 21 additions and 11 deletions
|
@ -1,13 +1,23 @@
|
|||
function preventXSS(html) {
|
||||
var options = {
|
||||
allowCommentTag: true,
|
||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow attr start with 'data-' or equal 'id' and 'class'
|
||||
if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
|
||||
// escape its value using built-in escapeAttrValue function
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
var whiteListAttr = ['id', 'class', 'style'];
|
||||
|
||||
var filterXSSOptions = {
|
||||
allowCommentTag: true,
|
||||
onIgnoreTag: function (tag, html, options) {
|
||||
// allow style in html
|
||||
if (tag === 'style') {
|
||||
// do not filter its attributes
|
||||
return html;
|
||||
}
|
||||
};
|
||||
return filterXSS(html, options);
|
||||
},
|
||||
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||
// allow attr start with 'data-' or in the whiteListAttr
|
||||
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
|
||||
// escape its value using built-in escapeAttrValue function
|
||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
function preventXSS(html) {
|
||||
return filterXSS(html, filterXSSOptions);
|
||||
}
|
Loading…
Reference in a new issue