diff options
Diffstat (limited to 'public/js/render.js')
| -rw-r--r-- | public/js/render.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/public/js/render.js b/public/js/render.js index 88a05bde..46489247 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -18,7 +18,7 @@ whiteList['style'] = [] // allow kbd tag whiteList['kbd'] = [] // allow ifram tag with some safe attributes -whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'] +whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height'] // allow summary tag whiteList['summary'] = [] @@ -27,7 +27,7 @@ var filterXSSOptions = { whiteList: whiteList, escapeHtml: function (html) { // allow html comment in multiple lines - return html.replace(/<(.*?)>/g, '<$1>') + return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->') }, onIgnoreTag: function (tag, html, options) { // allow comment tag |