From f6a995143d4ec5d1649ecb7e7678649c1f8449c4 Mon Sep 17 00:00:00 2001
From: Cheng-Han, Wu
Date: Wed, 20 Apr 2016 18:18:52 +0800
Subject: Update filter XSS to allow attr href starts with '.' or '/'

---
 public/js/render.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/js/render.js b/public/js/render.js
index 5c2b017a..687d23c8 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -14,6 +14,12 @@ var filterXSSOptions = {
             return html;
         }
     },
+    onTagAttr: function (tag, name, value, isWhiteAttr) {
+        // allow href starts with '.' or '/'
+        if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
+            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
+        }
+    },
     onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
         // allow attr start with 'data-' or in the whiteListAttr
         if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
-- 
cgit v1.2.3