From 2a774064afecc7c7880a6e91467b7ad755e8f681 Mon Sep 17 00:00:00 2001 From: "Cheng-Han, Wu" Date: Thu, 11 Feb 2016 14:33:21 -0600 Subject: [PATCH] Updated XSS filter options to allow style tag and style attribute --- public/js/render.js | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/public/js/render.js b/public/js/render.js index 1abb68c5..fada5899 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,13 +1,23 @@ -function preventXSS(html) { - var options = { - allowCommentTag: true, - onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { - // allow attr start with 'data-' or equal 'id' and 'class' - if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') { - // escape its value using built-in escapeAttrValue function - return name + '="' + filterXSS.escapeAttrValue(value) + '"'; - } +var whiteListAttr = ['id', 'class', 'style']; + +var filterXSSOptions = { + allowCommentTag: true, + onIgnoreTag: function (tag, html, options) { + // allow style in html + if (tag === 'style') { + // do not filter its attributes + return html; } - }; - return filterXSS(html, options); + }, + onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { + // allow attr start with 'data-' or in the whiteListAttr + if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) { + // escape its value using built-in escapeAttrValue function + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } + } +}; + +function preventXSS(html) { + return filterXSS(html, filterXSSOptions); } \ No newline at end of file