depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Updated to support html comment tag in XSS

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-02-16 09:51:22 -06:00
parent 26c40dca2d
commit 2501b190ab
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
public/js/render.js
View file

@ -1,10 +1,11 @@
var whiteListTag = ['style', '!--'];
var whiteListAttr = ['id', 'class', 'style'];
var filterXSSOptions = {
allowCommentTag: true,
onIgnoreTag: function (tag, html, options) {
// allow style in html
if (tag === 'style') {
if (whiteListTag.indexOf(tag) !== -1) {
// do not filter its attributes
return html;
}