github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-25 03:06:31 -05:00
Code Issues Projects Releases Packages Wiki Activity

Don't accept sandbox attribute

Browse source 
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default.

Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
This commit is contained in:
RyotaK 2019-08-21 18:50:56 +09:00 committed by Sheogorath
parent 145285abf6
commit 8494f6a085
No known key found for this signature in database
GPG key ID: C9B1C80737B9CE18
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/js/render.js
View file

@ -20,7 +20,7 @@ whiteList['style'] = []
// allow kbd tag
whiteList['kbd'] = []
// allow ifram tag with some safe attributes
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height']
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height']
// allow summary tag
whiteList['summary'] = []
// allow ruby tag