Update XSS policy to allow iframe and link with custom protocol
This commit is contained in:
Wu Cheng-Han
parent
f11cab7b45
commit
cf290e86e1
1 changed files with 19 additions and 10 deletions
|
|
@ -1,22 +1,35 @@
|
||||||
var whiteListTag = ['style', '!--', 'kbd'];
|
// allow some attributes
|
||||||
var whiteListAttr = ['id', 'class', 'style'];
|
var whiteListAttr = ['id', 'class', 'style'];
|
||||||
|
// allow link starts with '.', '/' and custom protocol with '://'
|
||||||
|
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
|
||||||
|
// custom white list
|
||||||
|
var whiteList = filterXSS.whiteList;
|
||||||
|
// allow ol specify start number
|
||||||
|
whiteList['ol'] = ['start'];
|
||||||
|
// allow style tag
|
||||||
|
whiteList['style'] = [];
|
||||||
|
// allow kbd tag
|
||||||
|
whiteList['kbd'] = [];
|
||||||
|
// allow ifram tag with some safe attributes
|
||||||
|
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];
|
||||||
|
|
||||||
var filterXSSOptions = {
|
var filterXSSOptions = {
|
||||||
allowCommentTag: true,
|
allowCommentTag: true,
|
||||||
|
whiteList: whiteList,
|
||||||
escapeHtml: function (html) {
|
escapeHtml: function (html) {
|
||||||
// to allow html comment in multiple lines
|
// allow html comment in multiple lines
|
||||||
return html.replace(/<(.*?)>/g, '<$1>');
|
return html.replace(/<(.*?)>/g, '<$1>');
|
||||||
},
|
},
|
||||||
onIgnoreTag: function (tag, html, options) {
|
onIgnoreTag: function (tag, html, options) {
|
||||||
// allow style in html
|
// allow comment tag
|
||||||
if (whiteListTag.indexOf(tag) !== -1) {
|
if (tag == "!--") {
|
||||||
// do not filter its attributes
|
// do not filter its attributes
|
||||||
return html;
|
return html;
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
onTagAttr: function (tag, name, value, isWhiteAttr) {
|
onTagAttr: function (tag, name, value, isWhiteAttr) {
|
||||||
// allow href starts with '.' or '/'
|
// allow href and src that match linkRegex
|
||||||
if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) {
|
if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
|
||||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -26,10 +39,6 @@ var filterXSSOptions = {
|
||||||
// escape its value using built-in escapeAttrValue function
|
// escape its value using built-in escapeAttrValue function
|
||||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
||||||
}
|
}
|
||||||
// allow ol specify start number
|
|
||||||
if (tag === 'ol' && name === 'start') {
|
|
||||||
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue