status-im
/
codimd
mirror of https://github.com/status-im/codimd.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update filter XSS to allow attr href starts with '.' or '/'

This commit is contained in:
Cheng-Han, Wu 2016-04-20 18:18:52 +08:00
parent b823ed1d7c
commit f6a995143d
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
public/js/render.js
View File

@ -14,6 +14,12 @@ var filterXSSOptions = {
return html; return html;
} }
}, },
onTagAttr: function (tag, name, value, isWhiteAttr) {
// allow href starts with '.' or '/'
if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
},
onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
// allow attr start with 'data-' or in the whiteListAttr // allow attr start with 'data-' or in the whiteListAttr
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) { if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {