From 2a774064afecc7c7880a6e91467b7ad755e8f681 Mon Sep 17 00:00:00 2001
From: Cheng-Han, Wu
Date: Thu, 11 Feb 2016 14:33:21 -0600
Subject: Updated XSS filter options to allow style tag and style attribute

---
 public/js/render.js | 32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

(limited to 'public/js')

diff --git a/public/js/render.js b/public/js/render.js
index 1abb68c5..fada5899 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -1,13 +1,23 @@
-function preventXSS(html) {
-    var options = {
-        allowCommentTag: true,
-        onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
-            // allow attr start with 'data-' or equal 'id' and 'class'
-            if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
-                // escape its value using built-in escapeAttrValue function
-                return name + '="' + filterXSS.escapeAttrValue(value) + '"';
-            }
+var whiteListAttr = ['id', 'class', 'style'];
+
+var filterXSSOptions = {
+    allowCommentTag: true,
+    onIgnoreTag: function (tag, html, options) {
+        // allow style in html
+        if (tag === 'style') {
+            // do not filter its attributes
+            return html;
+        }
+    },
+    onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+        // allow attr start with 'data-' or in the whiteListAttr
+        if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
+            // escape its value using built-in escapeAttrValue function
+            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
         }
-    };
-    return filterXSS(html, options);
+    }
+};
+
+function preventXSS(html) {
+    return filterXSS(html, filterXSSOptions);
 }
\ No newline at end of file
-- 
cgit v1.2.3