diff options
author | Wu Cheng-Han | 2016-08-15 11:00:02 +0800 |
---|---|---|
committer | Wu Cheng-Han | 2016-08-15 11:00:02 +0800 |
commit | ecd7218917184cdd755774aa779dfa72e95233c1 (patch) | |
tree | 540d2396b15408de1dc19fde969321b110a2890a /public | |
parent | 9bf7b92707c7e0355332378fde42f987fdb3d26a (diff) |
Update to support data uri in src attribute of image tag
Diffstat (limited to 'public')
-rw-r--r-- | public/js/render.js | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/public/js/render.js b/public/js/render.js index ff1ec9b3..6f1a1c19 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -2,6 +2,8 @@ var whiteListAttr = ['id', 'class', 'style']; // allow link starts with '.', '/' and custom protocol with '://' var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; +// allow data uri, from https://gist.github.com/bgrins/6194623 +var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@\/?%\s]*)\s*$/i; // custom white list var whiteList = filterXSS.whiteList; // allow ol specify start number @@ -32,6 +34,10 @@ var filterXSSOptions = { if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) { return name + '="' + filterXSS.escapeAttrValue(value) + '"'; } + // allow data uri in img src + if (isWhiteAttr && (tag == "img" && name === 'src') && dataUriRegex.test(value)) { + return name + '="' + filterXSS.escapeAttrValue(value) + '"'; + } }, onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { // allow attr start with 'data-' or in the whiteListAttr |