diff options
| author | Cheng-Han, Wu | 2016-02-11 03:45:13 -0600 |
|---|---|---|
| committer | Cheng-Han, Wu | 2016-02-11 03:45:13 -0600 |
| commit | 4c4a0e0f3fe9b4e33f2182f3f8e20d87736b371d (patch) | |
| tree | d3e79f4a2481ad55eac4e56a56bb541fbb214783 /public/js/render.js | |
| parent | 176021ccd85630abbc3af4001f9a590d4277e584 (diff) | |
Fixed prevent XSS might break lots of tags and only need after rendered
Diffstat (limited to 'public/js/render.js')
| -rw-r--r-- | public/js/render.js | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/public/js/render.js b/public/js/render.js new file mode 100644 index 00000000..1abb68c5 --- /dev/null +++ b/public/js/render.js @@ -0,0 +1,13 @@ +function preventXSS(html) { + var options = { + allowCommentTag: true, + onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { + // allow attr start with 'data-' or equal 'id' and 'class' + if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') { + // escape its value using built-in escapeAttrValue function + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } + } + }; + return filterXSS(html, options); +}
\ No newline at end of file |