diff options
author | Wu Cheng-Han | 2017-03-22 18:26:35 +0800 |
---|---|---|
committer | Wu Cheng-Han | 2017-03-22 18:26:35 +0800 |
commit | e6298004572004b0f27b29a4b7ed51f884ba0095 (patch) | |
tree | c9ce423c0e30bde22b951a3bfc5a43f3b5b39a8d /public/js | |
parent | 0f3b028ed61c5c26309d5f8d49fa4bb09460077c (diff) |
Fix XSS vulnerability in link regex [Security Issue]
Diffstat (limited to 'public/js')
-rw-r--r-- | public/js/render.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/public/js/render.js b/public/js/render.js index 746820ae..d16181ab 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -3,8 +3,8 @@ // allow some attributes var whiteListAttr = ['id', 'class', 'style'] window.whiteListAttr = whiteListAttr -// allow link starts with '.', '/' and custom protocol with '://' -var linkRegex = /^([\w|-]+:\/\/)|^([.|/])+/ +// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript:// +var linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/ // allow data uri, from https://gist.github.com/bgrins/6194623 var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i // custom white list |