2016-02-16 15:51:22 +00:00
|
|
|
var whiteListTag = ['style', '!--'];
|
2016-02-11 20:33:21 +00:00
|
|
|
var whiteListAttr = ['id', 'class', 'style'];
|
|
|
|
|
|
|
|
var filterXSSOptions = {
|
|
|
|
allowCommentTag: true,
|
|
|
|
onIgnoreTag: function (tag, html, options) {
|
|
|
|
// allow style in html
|
2016-02-16 15:51:22 +00:00
|
|
|
if (whiteListTag.indexOf(tag) !== -1) {
|
2016-02-11 20:33:21 +00:00
|
|
|
// do not filter its attributes
|
|
|
|
return html;
|
|
|
|
}
|
|
|
|
},
|
|
|
|
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
|
|
|
|
// allow attr start with 'data-' or in the whiteListAttr
|
|
|
|
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
|
|
|
|
// escape its value using built-in escapeAttrValue function
|
|
|
|
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
2016-02-11 09:45:13 +00:00
|
|
|
}
|
2016-02-11 20:33:21 +00:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
function preventXSS(html) {
|
|
|
|
return filterXSS(html, filterXSSOptions);
|
2016-02-11 09:45:13 +00:00
|
|
|
}
|