From 8494f6a085a45d8c494b70e4a7c28182310e37ea Mon Sep 17 00:00:00 2001 From: RyotaK Date: Wed, 21 Aug 2019 18:50:56 +0900 Subject: Don't accept sandbox attribute Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default. Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com> --- public/js/render.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'public/js') diff --git a/public/js/render.js b/public/js/render.js index d37f38ef..ebda2984 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -20,7 +20,7 @@ whiteList['style'] = [] // allow kbd tag whiteList['kbd'] = [] // allow ifram tag with some safe attributes -whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'width', 'height'] +whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'src', 'width', 'height'] // allow summary tag whiteList['summary'] = [] // allow ruby tag -- cgit v1.2.3