depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Updated to support html comment tag in XSS

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-02-16 09:51:22 -06:00
parent 26c40dca2d
commit 2501b190ab
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
public/js/render.js
View file

@ -1,10 +1,11 @@
var whiteListTag = ['style', '!--'];
var whiteListAttr = ['id', 'class', 'style']; var whiteListAttr = ['id', 'class', 'style'];
var filterXSSOptions = { var filterXSSOptions = {
allowCommentTag: true, allowCommentTag: true,
onIgnoreTag: function (tag, html, options) { onIgnoreTag: function (tag, html, options) {
// allow style in html // allow style in html
if (tag === 'style') { if (whiteListTag.indexOf(tag) !== -1) {
// do not filter its attributes // do not filter its attributes
return html; return html;
} }