Fix XSS vulnerability in link regex [Security Issue]
This commit is contained in:
parent
0f3b028ed6
commit
e629800457
1 changed files with 2 additions and 2 deletions
|
@ -3,8 +3,8 @@
|
||||||
// allow some attributes
|
// allow some attributes
|
||||||
var whiteListAttr = ['id', 'class', 'style']
|
var whiteListAttr = ['id', 'class', 'style']
|
||||||
window.whiteListAttr = whiteListAttr
|
window.whiteListAttr = whiteListAttr
|
||||||
// allow link starts with '.', '/' and custom protocol with '://'
|
// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
|
||||||
var linkRegex = /^([\w|-]+:\/\/)|^([.|/])+/
|
var linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/
|
||||||
// allow data uri, from https://gist.github.com/bgrins/6194623
|
// allow data uri, from https://gist.github.com/bgrins/6194623
|
||||||
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
|
var dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
|
||||||
// custom white list
|
// custom white list
|
||||||
|
|
Loading…
Reference in a new issue