Update to support data uri in src attribute of image tag

author: Wu Cheng-Han 2016-08-15 11:00:02 +0800
committer: Wu Cheng-Han 2016-08-15 11:00:02 +0800
commit: ecd7218917184cdd755774aa779dfa72e95233c1 (patch)
tree: 540d2396b15408de1dc19fde969321b110a2890a /public
parent: 9bf7b92707c7e0355332378fde42f987fdb3d26a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/public/js/render.js b/public/js/render.js
index ff1ec9b3..6f1a1c19 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -2,6 +2,8 @@
 var whiteListAttr = ['id', 'class', 'style'];
 // allow link starts with '.', '/' and custom protocol with '://'
 var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
+// allow data uri, from https://gist.github.com/bgrins/6194623
+var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i;
 // custom white list
 var whiteList = filterXSS.whiteList;
 // allow ol specify start number
@@ -32,6 +34,10 @@ var filterXSSOptions = {
         if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
             return name + '="' + filterXSS.escapeAttrValue(value) + '"';
         }
+        // allow data uri in img src
+        if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) {
+            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
+        }
     },
     onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
         // allow attr start with 'data-' or in the whiteListAttr
author	Wu Cheng-Han	2016-08-15 11:00:02 +0800
committer	Wu Cheng-Han	2016-08-15 11:00:02 +0800
commit	ecd7218917184cdd755774aa779dfa72e95233c1 (patch)
tree	540d2396b15408de1dc19fde969321b110a2890a /public
parent	9bf7b92707c7e0355332378fde42f987fdb3d26a (diff)