Fix XSS vulnerability in link regex [Security Issue]

This commit is contained in:
Wu Cheng-Han 2017-03-22 18:26:35 +08:00
parent 0f3b028ed6
commit e629800457

View file

@ -3,8 +3,8 @@
// allow some attributes // allow some attributes
var whiteListAttr = ['id', 'class', 'style'] var whiteListAttr = ['id', 'class', 'style']
window.whiteListAttr = whiteListAttr window.whiteListAttr = whiteListAttr
// allow link starts with '.', '/' and custom protocol with '://' // allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
var linkRegex = /^([\w|-]+:\/\/)|^([.|/])+/ var linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/
// allow data uri, from https://gist.github.com/bgrins/6194623 // allow data uri, from https://gist.github.com/bgrins/6194623
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
// custom white list // custom white list