summaryrefslogtreecommitdiff
path: root/public/js
diff options
context:
space:
mode:
authorRyotaK2019-08-21 18:50:56 +0900
committerSheogorath2019-10-22 12:04:12 +0200
commit8494f6a085a45d8c494b70e4a7c28182310e37ea (patch)
tree73a74e8b8d884263507386b0dcc4be1588e620aa /public/js
parent145285abf60665e624272c965e25d765983c1775 (diff)
Don't accept sandbox attribute
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default. Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
Diffstat (limited to '')
-rw-r--r--public/js/render.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/public/js/render.js b/public/js/render.js
index d37f38ef..ebda2984 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -20,7 +20,7 @@ whiteList['style'] = []
// allow kbd tag
whiteList['kbd'] = []
// allow ifram tag with some safe attributes
-whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height']
+whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height']
// allow summary tag
whiteList['summary'] = []
// allow ruby tag