Update XSS policy to allow iframe and link with custom protocol

This commit is contained in:
Wu Cheng-Han 2016-08-14 18:32:22 +08:00
parent f11cab7b45
commit cf290e86e1

View file

@ -1,22 +1,35 @@
var whiteListTag = ['style', '!--', 'kbd']; // allow some attributes
var whiteListAttr = ['id', 'class', 'style']; var whiteListAttr = ['id', 'class', 'style'];
// allow link starts with '.', '/' and custom protocol with '://'
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
// custom white list
var whiteList = filterXSS.whiteList;
// allow ol specify start number
whiteList['ol'] = ['start'];
// allow style tag
whiteList['style'] = [];
// allow kbd tag
whiteList['kbd'] = [];
// allow ifram tag with some safe attributes
whiteList['iframe'] = ['allowfullscreen', 'name', 'referrerpolicy', 'sandbox', 'src', 'srcdoc', 'width', 'height'];
var filterXSSOptions = { var filterXSSOptions = {
allowCommentTag: true, allowCommentTag: true,
whiteList: whiteList,
escapeHtml: function (html) { escapeHtml: function (html) {
// to allow html comment in multiple lines // allow html comment in multiple lines
return html.replace(/<(.*?)>/g, '&lt;$1&gt;'); return html.replace(/<(.*?)>/g, '&lt;$1&gt;');
}, },
onIgnoreTag: function (tag, html, options) { onIgnoreTag: function (tag, html, options) {
// allow style in html // allow comment tag
if (whiteListTag.indexOf(tag) !== -1) { if (tag == "!--") {
// do not filter its attributes // do not filter its attributes
return html; return html;
} }
}, },
onTagAttr: function (tag, name, value, isWhiteAttr) { onTagAttr: function (tag, name, value, isWhiteAttr) {
// allow href starts with '.' or '/' // allow href and src that match linkRegex
if (isWhiteAttr && name === 'href' && (value.indexOf('.') == 0 || value.indexOf('/') == 0)) { if (isWhiteAttr && (name === 'href' || name === 'src') && linkRegex.test(value)) {
return name + '="' + filterXSS.escapeAttrValue(value) + '"'; return name + '="' + filterXSS.escapeAttrValue(value) + '"';
} }
}, },
@ -26,10 +39,6 @@ var filterXSSOptions = {
// escape its value using built-in escapeAttrValue function // escape its value using built-in escapeAttrValue function
return name + '="' + filterXSS.escapeAttrValue(value) + '"'; return name + '="' + filterXSS.escapeAttrValue(value) + '"';
} }
// allow ol specify start number
if (tag === 'ol' && name === 'start') {
return name + '="' + filterXSS.escapeAttrValue(value) + '"';
}
} }
}; };