summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorWu Cheng-Han2016-08-14 18:32:22 +0800
committerWu Cheng-Han2016-08-14 18:32:22 +0800
commitcf290e86e13b6230707f9ce8c6ee0b793c2323c0 (patch)
tree65ae54462d951de1a783d5f3b2169159ae2bcbf5 /public
parentf11cab7b457f20f80992af752aea2fe245eac451 (diff)
Update XSS policy to allow iframe and link with custom protocol
Diffstat (limited to 'public')
-rw-r--r--public/js/render.js29
1 files changed, 19 insertions, 10 deletions
diff --git a/public/js/render.js b/public/js/render.js
index 687d23c8..ff1ec9b3 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -1,22 +1,35 @@
-var whiteListTag = ['style', '!--', 'kbd'];
+// allow some attributes
var whiteListAttr = ['id', 'class', 'style'];
+// allow link starts with '.', '/' and custom protocol with '://'
+var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
+// custom white list
+var whiteList = filterXSS.whiteList;
+// allow ol specify start number
+whiteList['ol'] = ['start'];
+// allow style tag
+whiteList['style'] = [];
+// allow kbd tag
+whiteList['kbd'] = [];
+// allow ifram tag with some safe attributes
+whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];
var filterXSSOptions = {
allowCommentTag: true,
+ whiteList: whiteList,
escapeHtml: function (html) {
- // to allow html comment in multiple lines
+ // allow html comment in multiple lines
return html.replace(/<(.*?)>/g, '&lt;$1&gt;');
},
onIgnoreTag: function (tag, html, options) {
- // allow style in html
- if (whiteListTag.indexOf(tag) !== -1) {
+ // allow comment tag
+ if (tag == "!--") {
// do not filter its attributes
return html;
}
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
- // allow href starts with '.' or '/'
- if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
+ // allow href and src that match linkRegex
+ if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
},
@@ -26,10 +39,6 @@ var filterXSSOptions = {
// escape its value using built-in escapeAttrValue function
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
- // allow ol specify start number
- if (tag === 'ol' && name === 'start') {
- return name + '="' + filterXSS.escapeAttrValue(value) + '"';
- }
}
};