diff options
| author | Cheng-Han, Wu | 2016-02-16 09:51:22 -0600 |
|---|---|---|
| committer | Cheng-Han, Wu | 2016-02-16 09:51:22 -0600 |
| commit | 2501b190ab16ba997557537725df4633b7e96e02 (patch) | |
| tree | fe0eb5ce889c8815431fca6576c2dcbe779f4cb5 /public | |
| parent | 26c40dca2d93a75db00232752cb16fc2972ec1d4 (diff) | |
Updated to support html comment tag in XSS
Diffstat (limited to 'public')
| -rw-r--r-- | public/js/render.js | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/public/js/render.js b/public/js/render.js index fada5899..18da145c 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,10 +1,11 @@ +var whiteListTag = ['style', '!--']; var whiteListAttr = ['id', 'class', 'style']; var filterXSSOptions = { allowCommentTag: true, onIgnoreTag: function (tag, html, options) { // allow style in html - if (tag === 'style') { + if (whiteListTag.indexOf(tag) !== -1) { // do not filter its attributes return html; } |