diff options
| author | RyotaK | 2019-08-21 18:50:56 +0900 |
|---|---|---|
| committer | Sheogorath | 2019-10-22 12:04:12 +0200 |
| commit | 8494f6a085a45d8c494b70e4a7c28182310e37ea (patch) | |
| tree | 73a74e8b8d884263507386b0dcc4be1588e620aa /public | |
| parent | 145285abf60665e624272c965e25d765983c1775 (diff) | |
Don't accept sandbox attribute
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default.
Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
Diffstat (limited to 'public')
| -rw-r--r-- | public/js/render.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/public/js/render.js b/public/js/render.js index d37f38ef..ebda2984 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -20,7 +20,7 @@ whiteList['style'] = [] // allow kbd tag whiteList['kbd'] = [] // allow ifram tag with some safe attributes -whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height'] +whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height'] // allow summary tag whiteList['summary'] = [] // allow ruby tag |