diff options
| author | Cheng-Han, Wu | 2016-04-20 18:18:52 +0800 |
|---|---|---|
| committer | Cheng-Han, Wu | 2016-04-20 18:18:52 +0800 |
| commit | f6a995143d4ec5d1649ecb7e7678649c1f8449c4 (patch) | |
| tree | 5176fe43f7e62f1b8fada42859a489a319dcc8ca | |
| parent | b823ed1d7cf5c9cf1f0ac4e83bbac6476c48e33b (diff) | |
Update filter XSS to allow attr href starts with '.' or '/'
Diffstat (limited to '')
| -rw-r--r-- | public/js/render.js | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/public/js/render.js b/public/js/render.js index 5c2b017a..687d23c8 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -14,6 +14,12 @@ var filterXSSOptions = { return html; } }, + onTagAttr: function (tag, name, value, isWhiteAttr) { + // allow href starts with '.' or '/' + if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) { + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } + }, onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { // allow attr start with 'data-' or in the whiteListAttr if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) { |