From 2501b190ab16ba997557537725df4633b7e96e02 Mon Sep 17 00:00:00 2001 From: "Cheng-Han, Wu" Date: Tue, 16 Feb 2016 09:51:22 -0600 Subject: [PATCH] Updated to support html comment tag in XSS --- public/js/render.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/public/js/render.js b/public/js/render.js index fada589..18da145 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,10 +1,11 @@ +var whiteListTag = ['style', '!--']; var whiteListAttr = ['id', 'class', 'style']; var filterXSSOptions = { allowCommentTag: true, onIgnoreTag: function (tag, html, options) { // allow style in html - if (tag === 'style') { + if (whiteListTag.indexOf(tag) !== -1) { // do not filter its attributes return html; }