summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorCheng-Han, Wu2016-02-11 14:33:21 -0600
committerCheng-Han, Wu2016-02-11 14:33:21 -0600
commit2a774064afecc7c7880a6e91467b7ad755e8f681 (patch)
tree1b04a0e55667b624f8681fad0188cb08b6bef35d /public
parent4c4a0e0f3fe9b4e33f2182f3f8e20d87736b371d (diff)
Updated XSS filter options to allow style tag and style attribute
Diffstat (limited to 'public')
-rw-r--r--public/js/render.js32
1 files changed, 21 insertions, 11 deletions
diff --git a/public/js/render.js b/public/js/render.js
index 1abb68c5..fada5899 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -1,13 +1,23 @@
-function preventXSS(html) {
- var options = {
- allowCommentTag: true,
- onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
- // allow attr start with 'data-' or equal 'id' and 'class'
- if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
- // escape its value using built-in escapeAttrValue function
- return name + '="' + filterXSS.escapeAttrValue(value) + '"';
- }
+var whiteListAttr = ['id', 'class', 'style'];
+
+var filterXSSOptions = {
+ allowCommentTag: true,
+ onIgnoreTag: function (tag, html, options) {
+ // allow style in html
+ if (tag === 'style') {
+ // do not filter its attributes
+ return html;
+ }
+ },
+ onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+ // allow attr start with 'data-' or in the whiteListAttr
+ if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
+ // escape its value using built-in escapeAttrValue function
+ return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
- };
- return filterXSS(html, options);
+ }
+};
+
+function preventXSS(html) {
+ return filterXSS(html, filterXSSOptions);
} \ No newline at end of file