Updated XSS filter options to allow style tag and style attribute

2016-02-11 14:33:21 -06:00 · 2016-02-11 14:33:21 -06:00 · 2a774064af
parent 4c4a0e0f3f
commit 2a774064af
1 changed files with 21 additions and 11 deletions
--- a/public/js/render.js
+++ b/public/js/render.js
@ -1,13 +1,23 @@
-function preventXSS(html) {
-    var options = {
-        allowCommentTag: true,
-        onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
-            // allow attr start with 'data-' or equal 'id' and 'class'
-            if (name.substr(0, 5) === 'data-' || name === 'id' || name === 'class') {
-                // escape its value using built-in escapeAttrValue function
-                return name + '="' + filterXSS.escapeAttrValue(value) + '"';
-            }
+var whiteListAttr = ['id', 'class', 'style'];
+
+var filterXSSOptions = {
+    allowCommentTag: true,
+    onIgnoreTag: function (tag, html, options) {
+        // allow style in html
+        if (tag === 'style') {
+            // do not filter its attributes
+            return html;
        }
-    };
-    return filterXSS(html, options);
+    },
+    onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+        // allow attr start with 'data-' or in the whiteListAttr
+        if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) {
+            // escape its value using built-in escapeAttrValue function
+            return name + '="' + filterXSS.escapeAttrValue(value) + '"';
+        }
+    }
+};
+
+function preventXSS(html) {
+    return filterXSS(html, filterXSSOptions);
 }